NationTech/harmony
5
0
Fork 2
Code Issues 40 Pull Requests 11 Actions Packages Projects Releases 1 Wiki Activity

Compare commits

merge into: NationTech:feat/certificate_management
Branches Tags
NationTech:master NationTech:feat/cluster_alerting_score NationTech:e2e-tests-multicluster NationTech:fix/refactor_alert_receivers NationTech:feature/kvm-module NationTech:feat/change-node-readiness-strategy NationTech:feat/zitadel NationTech:feat/improve-inventory-discovery NationTech:fix/monitoring_abstractions_openshift NationTech:feat/brocade_assisted_setup NationTech:fix/dynamically_get_public_domain NationTech:feat/nats-jetstream NationTech:adr-nats-creds NationTech:fix/nats-ca-cert-retry NationTech:feat/st_test NationTech:feat/dockerAutoinstall NationTech:chore/cleanup_hacluster NationTech:doc/cert-management NationTech:feat/certificate_management NationTech:adr/017-staleness-failover NationTech:fix/nats_non_root NationTech:feat/rebuild_inventory NationTech:fix/opnsense_update NationTech:feat/unshedulable_control_planes NationTech:feat/worker_okd_install NationTech:doc-and-braindump NationTech:fix/pxe_install NationTech:switch-client NationTech:okd_enable_user_workload_monitoring NationTech:configure-switch NationTech:fix/clippy NationTech:feat/gen-ca-cert NationTech:feat/okd_default_ingress_class NationTech:fix/add_routes_to_domain NationTech:secrets-prompt-editor NationTech:feat/multisiteApplication NationTech:feat/ceph-install-score NationTech:feat/ceph-osd-score NationTech:feat/ceph_validate_health NationTech:better-indicatif-progress-grouped NationTech:feat/crd-alertmanager-configs NationTech:better-cli NationTech:opnsense_upgrade NationTech:feat/monitoring-application-feature NationTech:dev/postgres NationTech:feat/cd/localdeploymentdemo NationTech:feat/webhook_receiver NationTech:feat/kube-prometheus NationTech:feat/init_k8s_tenant NationTech:feat/discord-webhook-receiver NationTech:feat/kube-prometheus-monitor NationTech:feat/tenantScore NationTech:feat/teams-integration NationTech:feat/slack-notifs NationTech:monitoring NationTech:runtime-profiles
NationTech:snapshot-latest
...
pull from: NationTech:feat/improve-inventory-discovery
Branches Tags
NationTech:master NationTech:feat/cluster_alerting_score NationTech:e2e-tests-multicluster NationTech:fix/refactor_alert_receivers NationTech:feature/kvm-module NationTech:feat/change-node-readiness-strategy NationTech:feat/zitadel NationTech:feat/improve-inventory-discovery NationTech:fix/monitoring_abstractions_openshift NationTech:feat/brocade_assisted_setup NationTech:fix/dynamically_get_public_domain NationTech:feat/nats-jetstream NationTech:adr-nats-creds NationTech:fix/nats-ca-cert-retry NationTech:feat/st_test NationTech:feat/dockerAutoinstall NationTech:chore/cleanup_hacluster NationTech:doc/cert-management NationTech:feat/certificate_management NationTech:adr/017-staleness-failover NationTech:fix/nats_non_root NationTech:feat/rebuild_inventory NationTech:fix/opnsense_update NationTech:feat/unshedulable_control_planes NationTech:feat/worker_okd_install NationTech:doc-and-braindump NationTech:fix/pxe_install NationTech:switch-client NationTech:okd_enable_user_workload_monitoring NationTech:configure-switch NationTech:fix/clippy NationTech:feat/gen-ca-cert NationTech:feat/okd_default_ingress_class NationTech:fix/add_routes_to_domain NationTech:secrets-prompt-editor NationTech:feat/multisiteApplication NationTech:feat/ceph-install-score NationTech:feat/ceph-osd-score NationTech:feat/ceph_validate_health NationTech:better-indicatif-progress-grouped NationTech:feat/crd-alertmanager-configs NationTech:better-cli NationTech:opnsense_upgrade NationTech:feat/monitoring-application-feature NationTech:dev/postgres NationTech:feat/cd/localdeploymentdemo NationTech:feat/webhook_receiver NationTech:feat/kube-prometheus NationTech:feat/init_k8s_tenant NationTech:feat/discord-webhook-receiver NationTech:feat/kube-prometheus-monitor NationTech:feat/tenantScore NationTech:feat/teams-integration NationTech:feat/slack-notifs NationTech:monitoring NationTech:runtime-profiles
NationTech:snapshot-latest

148 Commits
feat/certi ... feat/impro

Author SHA1 Message Date
Sylvain Tremblay
063a4d4f5c wip: improving inventory discovery 2026-03-04 07:18:20 -05:00
Jean-Gabriel Gill-Couture
ff7d2fb89e fix: Complete brocade switch config and auth refactoring
Some checks failed
Run Check Script / check (push) Successful in 1m12s
Details
Compile and package harmony_composer / package_harmony_composer (push) Failing after 2m57s
Details
2026-02-17 10:31:30 -05:00
johnride
9bb38b930a Merge pull request 'reafactor: brocade switch slight improvements' (#233) from fix/brocade into master
Some checks failed
Run Check Script / check (push) Failing after -10s
Details
Compile and package harmony_composer / package_harmony_composer (push) Failing after 2m54s
Details 
Reviewed-on: #233
 2026-02-17 15:16:42 +00:00
johnride
c677487a5e Merge pull request 'feat/drain_k8s_node' (#232) from feat/drain_k8s_node into master
Some checks failed
Run Check Script / check (push) Successful in 1m0s
Details
Compile and package harmony_composer / package_harmony_composer (push) Failing after 3m11s
Details 
Reviewed-on: #232
Reviewed-by: stremblay <stremblay@nationtech.io>
 2026-02-17 15:01:08 +00:00
Jean-Gabriel Gill-Couture
c1d46612ac fix: dnsmasq now replaces mac address
All checks were successful
Run Check Script / check (pull_request) Successful in 1m2s
Details
2026-02-17 10:00:11 -05:00
Jean-Gabriel Gill-Couture
4fba01338d feat: Reboot k8s node works, good logs and tests
All checks were successful
Run Check Script / check (pull_request) Successful in 1m3s
Details
2026-02-17 09:30:04 -05:00
Jean-Gabriel Gill-Couture
913ed17453 Merge remote-tracking branch 'origin/master' into feat/drain_k8s_node 2026-02-17 09:15:06 -05:00
Jean-Gabriel Gill-Couture
9e185cbbd5 chore: cleanup comments 2026-02-17 09:15:03 -05:00
Jean-Gabriel Gill-Couture
752526f831 fix: reboot node now works with correct command
Some checks failed
Run Check Script / check (pull_request) Failing after 54s
Details
2026-02-16 23:04:18 -05:00
Jean-Gabriel Gill-Couture
f9bd6ad260 reafactor: brocade switch slight improvements
Some checks failed
Run Check Script / check (pull_request) Failing after -10s
Details
2026-02-16 21:08:56 -05:00
Jean-Gabriel Gill-Couture
111181c300 wip
Some checks failed
Run Check Script / check (pull_request) Failing after 54s
Details
2026-02-16 20:54:46 -05:00
Jean-Gabriel Gill-Couture
3257cd9569 wip: Reboot node cleanly via k8s api, copy files on node, run remote command with output, orchestrate network configuration, and some more
All checks were successful
Run Check Script / check (pull_request) Successful in 1m13s
Details
2026-02-15 22:17:43 -05:00
stremblay
4b1915c594 Merge pull request 'feat: improve output related to storage in the discovery process' (#231) from feat/improve-disk-device-display into master
All checks were successful
Run Check Script / check (push) Successful in 1m6s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 7m17s
Details 
Reviewed-on: #231
 2026-02-15 18:22:54 +00:00
Jean-Gabriel Gill-Couture
cf3050ce87 feat(k8s client): K8sClient module now holds the responsibility for the k8s distribution detection, add resource bundle useful for easy create and delete of a bunch of related resources. 
First use case is creating a privileged pod allowing writing to nodes on
openshift family clusters. This requires creating the clusterrolebinding
and pod and other resources.
 2026-02-15 09:14:49 -05:00
Sylvain Tremblay
c3e27c60be feat: improve output related to storage in the discovery process
All checks were successful
Run Check Script / check (pull_request) Successful in 1m55s
Details
2026-02-14 15:32:01 -05:00
Jean-Gabriel Gill-Couture
2d26790c82 wip: K8s copy file on node refactoring to extract helpers and add tests 2026-02-14 10:22:48 -05:00
Jean-Gabriel Gill-Couture
2e89308b82 wip: Copy files on k8s node via ephemeral pod and configmap 2026-02-14 08:07:03 -05:00
Jean-Gabriel Gill-Couture
d8936a8307 feat(okd/network_manager): Add get_node_name_for_id and refactor" 2026-02-13 15:49:24 -05:00
Jean-Gabriel Gill-Couture
e2fa12508f feat: Add k8s client drain node functionality with tests and example 2026-02-13 15:19:58 -05:00
Jean-Gabriel Gill-Couture
bea2a75882 doc(opnsense): Add note that dnsmasq mac addresses will be droped when 
setting static host
 2026-02-13 15:18:20 -05:00
Jean-Gabriel Gill-Couture
a1528665d0 Merge remote-tracking branch 'origin/doc-and-braindump'
All checks were successful
Run Check Script / check (push) Successful in 1m18s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 8m47s
Details
2026-02-12 10:52:38 -05:00
Jean-Gabriel Gill-Couture
613225a00b chore: push misc formatting and details
Some checks failed
Run Check Script / check (push) Has been cancelled
Details
Compile and package harmony_composer / package_harmony_composer (push) Has been cancelled
Details
2026-02-12 10:50:16 -05:00
Jean-Gabriel Gill-Couture
dd1c088f0d example: Nats supercluster enable jetstream 2026-02-12 10:42:56 -05:00
Jean-Gabriel Gill-Couture
b4ef009804 chore: Add node in cargo.toml to replace with serde-saphyr as serde_yaml is deprecated
Some checks failed
Run Check Script / check (push) Successful in 2m17s
Details
Compile and package harmony_composer / package_harmony_composer (push) Has been cancelled
Details
2026-02-12 10:42:16 -05:00
Jean-Gabriel Gill-Couture
191e92048b feat: git ignore all ignore folders in the project 2026-02-12 10:42:16 -05:00
wjro
f4a70d8978 Merge pull request 'feat: integrate-brocade' (#230) from feat/integrate-brocade into master
Some checks failed
Run Check Script / check (push) Has been cancelled
Details
Compile and package harmony_composer / package_harmony_composer (push) Has been cancelled
Details 
Reviewed-on: #230
 2026-02-12 15:41:15 +00:00
wjro
2ddc9c0579 fix:format
All checks were successful
Run Check Script / check (pull_request) Successful in 1m12s
Details
2026-02-12 10:31:06 -05:00
Sylvain Tremblay
fececc2efd Creating a BrocadeSwitchConfig struct
Some checks failed
Run Check Script / check (pull_request) Failing after 0s
Details
2026-02-09 11:24:29 -05:00
Sylvain Tremblay
8afcacbd24 feat: integrate brocade 2026-02-09 09:53:16 -05:00
stremblay
84992b7ada Merge pull request 'fix: use installation_device from host_config in bootstrap_okd_node' (#228) from fix/installation-device-for-nodes-in-byMAC into master
All checks were successful
Run Check Script / check (push) Successful in 1m7s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 8m20s
Details 
Reviewed-on: #228
 2026-02-05 22:38:00 +00:00
Sylvain Tremblay
7cd3c8b93d fix: shorthand
All checks were successful
Run Check Script / check (pull_request) Successful in 1m10s
Details
2026-02-05 17:29:10 -05:00
Sylvain Tremblay
83459eb2a6 fix: satisfy my ocd :)
All checks were successful
Run Check Script / check (pull_request) Successful in 1m8s
Details
2026-02-05 17:04:53 -05:00
Sylvain Tremblay
d6ddbfa51a fix: use installation_device from host_config in bootstrap_okd_node
All checks were successful
Run Check Script / check (pull_request) Successful in 1m11s
Details
2026-02-05 16:57:14 -05:00
wjro
c6ca3d38d1 Merge pull request 'feat/harmony_agent' (#220) from feat/harmony_agent into master
Some checks failed
Run Check Script / check (push) Successful in 1m7s
Details
Compile and package harmony_composer / package_harmony_composer (push) Failing after 9m50s
Details 
Reviewed-on: #220
 2026-02-04 21:05:34 +00:00
wjro
4c79a7628d Merge branch 'master' into feat/harmony_agent
All checks were successful
Run Check Script / check (pull_request) Successful in 1m8s
Details
2026-02-04 16:03:22 -05:00
wjro
7ca1a64038 feat: completed harmony_agent implentation for primary and replica agents, fixed a test
All checks were successful
Run Check Script / check (pull_request) Successful in 1m7s
Details
2026-02-04 15:56:40 -05:00
wjro
333884a81a Merge pull request 'feat: created decentralized topology, capability nats and nats super cluster' (#221) from feat/nats_capability into master
All checks were successful
Run Check Script / check (push) Successful in 1m8s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 9m48s
Details 
Reviewed-on: #221
Reviewed-by: johnride <jg@nationtech.io>
 2026-02-04 19:05:50 +00:00
wjro
74e6da1a16 Merge branch 'master' into feat/nats_capability
All checks were successful
Run Check Script / check (pull_request) Successful in 1m5s
Details
2026-02-04 14:03:47 -05:00
wjro
0372cc3f31 Merge pull request 'fix/nats-isp' (#226) from fix/nats-isp into feat/nats_capability
All checks were successful
Run Check Script / check (pull_request) Successful in 1m5s
Details 
Reviewed-on: #226
 2026-02-04 18:55:12 +00:00
Jean-Gabriel Gill-Couture
de14ba6b97 fix(agent): fetch from store returns metadata to allow rebuilding states properly
Some checks failed
Run Check Script / check (pull_request) Failing after 5s
Details
2026-02-04 12:10:33 -05:00
wjro
a08c3fb03b wip: save new cluster info state
Some checks failed
Run Check Script / check (pull_request) Failing after 5s
Details
2026-02-04 11:47:11 -05:00
Jean-Gabriel Gill-Couture
17b3b3b351 test(agent): Wrote first few tests for Primary workflow use cases : initializing to healthy, healthy to failed
Some checks failed
Run Check Script / check (pull_request) Failing after 6s
Details
2026-02-04 09:26:10 -05:00
Jean-Gabriel Gill-Couture
01a775a01f wip(agent): workflow now return new cluster state when they decide to alter it, primary taking control of current_primary case handled but using wrong ID
Some checks failed
Run Check Script / check (pull_request) Failing after 7s
Details
2026-02-04 07:01:13 -05:00
Jean-Gabriel Gill-Couture
9c551a0eba fix: Agent can now reload heartbeat info from store
Some checks failed
Run Check Script / check (pull_request) Failing after 10s
Details
2026-02-03 22:12:44 -05:00
Jean-Gabriel Gill-Couture
a88d67627a chore: Add a note and delete old code
Some checks failed
Run Check Script / check (pull_request) Failing after 6s
Details
2026-02-03 20:46:18 -05:00
Sylvain Tremblay
5b04cc96d7 wip: we want to initialize to the right seq number after a restart
Some checks failed
Run Check Script / check (pull_request) Failing after 6s
Details
2026-02-03 14:50:03 -05:00
Sylvain Tremblay
73cda3425f Merge branch 'feat/harmony_agent' of https://git.nationtech.io/NationTech/harmony into feat/harmony_agent 2026-02-03 11:53:27 -05:00
Sylvain Tremblay
7065e90475 feat: use the role of the agent to define its name 2026-02-03 11:45:03 -05:00
wjro
a20919bbda wip: write cluster state to jetstream kv
Some checks failed
Run Check Script / check (pull_request) Failing after 8s
Details
2026-02-03 11:43:22 -05:00
Jean-Gabriel Gill-Couture
948334b89e wip: cleaning up llm code, pretty close to something comprehensible and robust
Some checks failed
Run Check Script / check (pull_request) Failing after 13s
Details
2026-02-03 06:39:56 -05:00
stremblay
2a1d489b78 Merge pull request 'feat: support use-swap-file opnsense xml field' (#227) from feat/support-use-swap-file into master
All checks were successful
Run Check Script / check (push) Successful in 1m11s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 9m39s
Details 
Reviewed-on: #227
 2026-02-02 20:06:33 +00:00
Sylvain Tremblay
4507504c47 feat: support use-swap-file opnsense xml field
All checks were successful
Run Check Script / check (pull_request) Successful in 1m11s
Details
2026-02-02 14:56:26 -05:00
Jean-Gabriel Gill-Couture
50aa545bd9 wip(harmony_agent): It compiles, contains most if not all of the required skeleton, now time to review it carefully, complete a few details and battle test it
Some checks failed
Run Check Script / check (pull_request) Failing after 11s
Details
2026-02-01 20:54:11 -05:00
wjro
8b200cfe91 chore: removed commented code
All checks were successful
Run Check Script / check (pull_request) Successful in 1m9s
Details
2026-01-30 14:02:52 -05:00
wjro
f6ff78a573 Merge branch 'feat/nats_capability' into fix/nats-isp
All checks were successful
Run Check Script / check (pull_request) Successful in 1m8s
Details
2026-01-30 13:50:07 -05:00
wjro
329d5d8473 fix: format
All checks were successful
Run Check Script / check (pull_request) Successful in 1m9s
Details
2026-01-30 13:42:01 -05:00
wjro
cd81d6584c fix: removed nats implementation details from k8sanywhere, added secret prompt for nats cluster using harmony secret 2026-01-30 13:41:38 -05:00
wjro
a0f32bb565 wip: working on separation of concerns 2026-01-30 10:57:22 -05:00
Jean-Gabriel Gill-Couture
0cff1e0f66 feat: Harmony agent new algorithm based on heartbeat counters basics. Old code will need to be refactored completely
Some checks failed
Run Check Script / check (pull_request) Failing after 11s
Details
2026-01-30 06:58:03 -05:00
wjro
29d2d620d1 Merge pull request 'feat: introduced crate tokio-retry to allow multiple attempts to get secret from k8s' (#225) from fix/nats-capability-retry into feat/nats_capability
All checks were successful
Run Check Script / check (pull_request) Successful in 1m14s
Details 
Reviewed-on: #225
 2026-01-29 20:42:32 +00:00
wjro
7df8429181 feat: introduced crate tokio-retry to allow multiple attempts to get secret from k8s
All checks were successful
Run Check Script / check (pull_request) Successful in 1m9s
Details
2026-01-29 15:03:33 -05:00
stremblay
0358ea5959 Merge pull request 'fix: support DiscoveryStrategy in OKDSetup01InventoryScore' (#224) from fix/support-discovery-strategy-OKDSetup01InventoryScore into master
Some checks failed
Run Check Script / check (push) Successful in 1m14s
Details
Compile and package harmony_composer / package_harmony_composer (push) Failing after 2m59s
Details 
Reviewed-on: #224
 2026-01-28 20:48:28 +00:00
Sylvain Tremblay
eebda0f4aa chore: format
All checks were successful
Run Check Script / check (pull_request) Successful in 1m14s
Details
2026-01-28 15:20:33 -05:00
wjro
666a3c0071 fix: modified nats trait and nats supercluster trait to better respect interface segregation
All checks were successful
Run Check Script / check (pull_request) Successful in 1m12s
Details
2026-01-28 15:16:46 -05:00
stremblay
a8217887f4 Merge branch 'master' into fix/support-discovery-strategy-OKDSetup01InventoryScore
Some checks failed
Run Check Script / check (pull_request) Failing after 13s
Details
2026-01-28 20:16:29 +00:00
wjro
edf94554b8 fix: formating and example env variables
All checks were successful
Run Check Script / check (pull_request) Successful in 1m13s
Details
2026-01-28 14:43:50 -05:00
Sylvain Tremblay
4ea3d7f69c fix: support DiscoveryStrategy in OKDSetup01InventoryScore
Some checks failed
Run Check Script / check (pull_request) Failing after 10s
Details
2026-01-28 14:41:49 -05:00
wjro
00d4b9de73 fix: added fullnameOverride to helmchart score values so that the helm deployed cluster name and service name match the cluster name defined in the NatsK8sScore, without this field helm appends -nats to svc and cluster name, breaking the tls chain 2026-01-28 14:25:24 -05:00
johnride
cb90788129 Merge pull request 'fix(deps): updating fqdn version as the one currently in use have been yanked' (#223) from fix/update-fqdn-version into master
Some checks failed
Run Check Script / check (push) Successful in 1m35s
Details
Compile and package harmony_composer / package_harmony_composer (push) Failing after 10m47s
Details 
Reviewed-on: #223
 2026-01-28 19:21:25 +00:00
Sylvain Tremblay
5ee9643a6c fix(deps): updating fqdn version as the one currently in use have been yanked
All checks were successful
Run Check Script / check (pull_request) Successful in 1m14s
Details
2026-01-28 10:27:10 -05:00
wjro
92d4e3488a refactor: modified struct to accept N sites and N clusters 2026-01-28 09:43:43 -05:00
johnride
e557270960 Merge pull request 'feat/ask-for-main-disk' (#222) from feat/ask-for-main-disk into master
Some checks failed
Run Check Script / check (push) Successful in 1m59s
Details
Compile and package harmony_composer / package_harmony_composer (push) Failing after 9m32s
Details 
Reviewed-on: #222
 2026-01-27 17:13:56 +00:00
Jean-Gabriel Gill-Couture
54320e2ebe chore: refactor PhysicalHost into a tuple with HostConfig, it contains only installation device for now but it saves some mishaps
All checks were successful
Run Check Script / check (pull_request) Successful in 1m13s
Details
2026-01-27 12:11:49 -05:00
Sylvain Tremblay
fdd5d1b47c in the middle of HostConfig refactor 2026-01-27 12:03:23 -05:00
Sylvain Tremblay
6ff43f4775 Remove nanodc example 2026-01-27 11:47:25 -05:00
Sylvain Tremblay
f6b0f321b4 refactor: get_host_for_role -> get_hosts_for_role 2026-01-27 09:46:49 -05:00
Sylvain Tremblay
619ac99b44 feat: query for installation disk during discovery, store it in host_role_mapping 2026-01-27 09:22:24 -05:00
Sylvain Tremblay
922dd794d9 feat: run sqlx migrations automatically 2026-01-27 07:47:14 -05:00
wjro
8959719375 wip: created decentralized topology, capability nats and nats super cluster
Some checks failed
Run Check Script / check (pull_request) Failing after 17s
Details
2026-01-26 16:21:26 -05:00
wjro
9e1095fb9b Merge pull request 'feat/nats' (#207) from feat/nats into master
All checks were successful
Run Check Script / check (push) Successful in 1m16s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 7m58s
Details 
Reviewed-on: #207
 2026-01-26 16:32:05 +00:00
wjro
4758465b28 Merge remote-tracking branch 'origin/master' into feat/nats
All checks were successful
Run Check Script / check (pull_request) Successful in 1m13s
Details
2026-01-26 11:28:46 -05:00
stremblay
8ae38399b7 Merge pull request 'feat: use interactive_parse lib to query for secrets attributes values' (#219) from feat/json-attributes-prompt into master
All checks were successful
Run Check Script / check (push) Successful in 1m13s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 7m33s
Details 
Reviewed-on: #219
 2026-01-26 15:54:04 +00:00
Sylvain Tremblay
565bb4afa1 chore: formatting
All checks were successful
Run Check Script / check (pull_request) Successful in 1m15s
Details
2026-01-26 10:50:16 -05:00
Sylvain Tremblay
25d5aff158 chore: remove useless comments
Some checks failed
Run Check Script / check (pull_request) Failing after 15s
Details
2026-01-26 10:45:48 -05:00
Sylvain Tremblay
95f860809e chore: remove useless comments
All checks were successful
Run Check Script / check (pull_request) Successful in 1m14s
Details
2026-01-26 10:43:02 -05:00
stremblay
ce53ae0e04 Merge branch 'master' into feat/json-attributes-prompt
All checks were successful
Run Check Script / check (pull_request) Successful in 1m17s
Details
2026-01-26 15:38:30 +00:00
Jean-Gabriel Gill-Couture
deca67fd55 feat(backend_app): Deployment now pretty much works to package and deploy an app with an existing Docker image and type-safe helm chart on local k3d, not tested for remote k8s with Argo yet
Some checks failed
Run Check Script / check (pull_request) Failing after 17s
Details
2026-01-25 22:54:14 -05:00
Jean-Gabriel Gill-Couture
0cc5f505f8 feat(harmony_execution): New crate to contain utils for execution such 
as command line
 2026-01-25 22:52:29 -05:00
Jean-Gabriel Gill-Couture
ab68e7309d feat: Use k8s openapi structs as helm chart resources following ADR 018
Some checks failed
Run Check Script / check (pull_request) Failing after 21s
Details
2026-01-23 23:31:37 -05:00
wjro
093e0d54c0 Merge pull request 'adr/nats-islands-of-trust' (#209) from adr/nats-islands-of-trust into feat/nats
All checks were successful
Run Check Script / check (pull_request) Successful in 1m16s
Details 
Reviewed-on: #209
 2026-01-23 20:05:58 +00:00
wjro
8657261342 fix: extracted variables, removed uncool side effect
All checks were successful
Run Check Script / check (pull_request) Successful in 1m17s
Details
2026-01-23 15:03:03 -05:00
Jean-Gabriel Gill-Couture
c20db5b361 doc(adr): New ADR Template hydration for strongly typed workload deployment
Some checks failed
Run Check Script / check (pull_request) Failing after 19s
Details
2026-01-23 11:49:32 -05:00
wjro
33476e899e Merge pull request 'fix: modified cert-manager ensure ready to check for existence of pods with labels matching cert-manager in kubernetes env. replaced deprecated olm subscription based install of cert-manager for supported helm-chart' (#218) from fix/cert-manager into master
All checks were successful
Run Check Script / check (push) Successful in 1m17s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 7m31s
Details 
Reviewed-on: #218
 2026-01-23 16:28:34 +00:00
wjro
d0cd21c322 fix: improved logging and function names for clarity
All checks were successful
Run Check Script / check (pull_request) Successful in 1m17s
Details
2026-01-23 11:26:35 -05:00
Jean-Gabriel Gill-Couture
b2f0773795 wip: Working on backend app deployment 2026-01-23 09:34:58 -05:00
Sylvain Tremblay
9c6b780634 feat: use interactive_parse lib to query for secrets attributes values
All checks were successful
Run Check Script / check (pull_request) Successful in 1m20s
Details
2026-01-23 08:55:07 -05:00
Jean-Gabriel Gill-Couture
3682a0cb5f feat: First draft of harmony_agent project that will synchronize multiple clusters using nats supercluster to communicate 2026-01-23 08:54:40 -05:00
stremblay
53e1711aef Merge pull request 'feat: Create st-test example, fix a couple new missing xml fields for opnsense, fix bad HostRole' (#217) from feat/st_test into master
All checks were successful
Run Check Script / check (push) Successful in 1m20s
Details
Compile and package harmony_composer / package_harmony_composer (push) Successful in 7m50s
Details 
Reviewed-on: #217
Reviewed-by: wjro <wrolleman@nationtech.io>
 2026-01-22 20:59:23 +00:00
wjro
f37a8e373a fix: modified cert-manager ensure ready to check for existence of pods with labels matching cert-manager in kubernetes env. replaced deprecated olm subscription based install of cert-manager for supported helm-chart
All checks were successful
Run Check Script / check (pull_request) Successful in 1m20s
Details
2026-01-22 15:56:17 -05:00
Sylvain Tremblay
c631b3aef9 fix more opnsense stuff, remove installation notes
All checks were successful
Run Check Script / check (pull_request) Successful in 1m19s
Details
2026-01-22 15:54:19 -05:00
Sylvain Tremblay
3e2d94cff0 adding Cargo.lock
All checks were successful
Run Check Script / check (pull_request) Successful in 1m19s
Details
2026-01-22 14:54:39 -05:00
Sylvain Tremblay
c9e39d11ad fix: fix opnsense stuff for opnsense 25.1 test file
Some checks failed
Run Check Script / check (pull_request) Failing after 12s
Details
2026-01-22 14:52:29 -05:00
wjro
740b5500f2 feat: added poc for deploying nats supercluster with certificates, issuers, and okd routes
All checks were successful
Run Check Script / check (pull_request) Successful in 1m20s
Details
2026-01-22 11:37:10 -05:00
wjro
52bff9b6be fix: mod.rs 2026-01-22 11:37:10 -05:00
wjro
bc962be31f fix: moved cert management ensure ready to k8sanywhere 2026-01-22 11:37:10 -05:00
Jean-Gabriel Gill-Couture
f6a20832cf lint: Remove useless variable assignment 2026-01-22 11:37:10 -05:00
wjro
a4515d34ae fix: modified score names for better clarity 2026-01-22 11:37:10 -05:00
wjro
2b324d7962 fix: modified trait to use other return types, modified trait function name to be ensure ready, use rust CRD definitions rather than constructing gvk for certificateManagement trait function in k8sanywhere 2026-01-22 11:37:10 -05:00
wjro
779444699f fix: modified k8sanywhere implentation of get_ca_cert to use the kubernetes certificate name to find its respective secret and ca.crt 2026-01-22 11:37:10 -05:00
wjro
865dab2fc1 feat: added fn get_ca_cert to trait certificateManagement 2026-01-22 11:37:10 -05:00
wjro
502e544cd3 cargo fmt 2026-01-22 11:37:10 -05:00
wjro
4f2a7050f5 feat: added working examples to add self signed issuer and self signed certificate. modified get_resource_json_value to be able to get cluster scoped operators 2026-01-22 11:37:10 -05:00
wjro
26256d9945 fix: added create_issuer fn to trait and its implementation is k8sanywhere 2026-01-22 11:37:10 -05:00
wjro
947733b240 wip: added scores and basic implentation to create certs and issuers 2026-01-22 11:37:10 -05:00
wjro
d3a8171e3c feat(cert-manager): added crds for cert-manager 2026-01-22 11:37:10 -05:00
wjro
043cd561e9 feat: added cert manager capability as well as scores to install openshift subscription to community cert-manager operator 2026-01-22 11:37:10 -05:00
Sylvain Tremblay
5ed14b75ed chore: fix formatting 2026-01-22 08:47:56 -05:00
Sylvain Tremblay
25a45096f8 doc: adding installation notes file 2026-01-21 16:22:59 -05:00
Sylvain Tremblay
74252ded5c chore: remove useless brocade stuff
Some checks failed
Run Check Script / check (pull_request) Failing after 24s
Details
2026-01-21 15:12:23 -05:00
Sylvain Tremblay
0ecadbfb97 chore: remove unused import
Some checks failed
Run Check Script / check (pull_request) Failing after 23s
Details
2026-01-21 15:07:35 -05:00
Sylvain Tremblay
eb492f3ca9 fix: remove double definition of RUST_LOG in env.sh
Some checks failed
Run Check Script / check (pull_request) Failing after 19m39s
Details
2026-01-21 14:02:58 -05:00
Sylvain Tremblay
de3c8e9a41 adding data symlink
Some checks failed
Run Check Script / check (pull_request) Failing after 31s
Details
2026-01-21 13:59:22 -05:00
Sylvain Tremblay
2ef2d9f064 Fix HostRole (ControlPlane -> Worker) in workers score, fix main, add topology.rs 2026-01-21 13:56:28 -05:00
Sylvain Tremblay
d2d18205e9 fix deps in Cargo.toml, create env.sh file 2026-01-21 13:09:26 -05:00
Sylvain Tremblay
0b55a6fb53 fix: add new xml fields after updating opnsense 2026-01-20 14:27:28 -05:00
wjro
2dc65531c3 Merge pull request 'feat/cert_manager_crds' (#211) from feat/cert_manager_crds into master
Some checks failed
Compile and package harmony_composer / package_harmony_composer (push) Failing after 11m21s
Details
Run Check Script / check (push) Failing after 11m50s
Details 
Reviewed-on: #211
 2026-01-20 18:46:20 +00:00
wjro
1e98100ed4 fix: mod.rs
All checks were successful
Run Check Script / check (pull_request) Successful in 1m21s
Details
2026-01-20 13:43:52 -05:00
wjro
ab33aba776 fix: moved cert management ensure ready to k8sanywhere
Some checks failed
Run Check Script / check (pull_request) Failing after 26s
Details
2026-01-20 13:21:24 -05:00
Jean-Gabriel Gill-Couture
c3ac0bafad lint: Remove useless variable assignment
All checks were successful
Run Check Script / check (pull_request) Successful in 1m27s
Details
2026-01-20 12:11:48 -05:00
wjro
54a53fa982 fix: modified score names for better clarity
All checks were successful
Run Check Script / check (pull_request) Successful in 1m29s
Details
2026-01-19 12:48:47 -05:00
wjro
731d59c8b0 fix: modified trait to use other return types, modified trait function name to be ensure ready, use rust CRD definitions rather than constructing gvk for certificateManagement trait function in k8sanywhere 2026-01-19 11:37:47 -05:00
Sylvain Tremblay
001dd5269c add (now commented) line to init env_logger 2026-01-18 10:07:28 -05:00
Sylvain Tremblay
9978acf16d feat: change staticroutes->route to Option<RawXml> instead of MaybeString 2026-01-18 10:06:15 -05:00
wjro
c6642db6fb fix: modified k8sanywhere implentation of get_ca_cert to use the kubernetes certificate name to find its respective secret and ca.crt
All checks were successful
Run Check Script / check (pull_request) Successful in 1m46s
Details
2026-01-16 13:39:10 -05:00
wjro
8f111bcb8b feat: added fn get_ca_cert to trait certificateManagement
All checks were successful
Run Check Script / check (pull_request) Successful in 1m40s
Details
2026-01-16 13:16:06 -05:00
Jean-Gabriel Gill-Couture
ced371ca43 feat: Nats supercluster example working
Some checks failed
Run Check Script / check (pull_request) Failing after 42s
Details
2026-01-16 09:45:59 -05:00
wjro
f319f74edf cargo fmt
All checks were successful
Run Check Script / check (pull_request) Successful in 1m46s
Details
2026-01-14 16:19:56 -05:00
wjro
f576effeca feat: added working examples to add self signed issuer and self signed certificate. modified get_resource_json_value to be able to get cluster scoped operators 2026-01-14 16:18:59 -05:00
wjro
25c5cd84fe fix: added create_issuer fn to trait and its implementation is k8sanywhere
All checks were successful
Run Check Script / check (pull_request) Successful in 1m43s
Details
2026-01-14 14:39:05 -05:00
wjro
dc421fa099 wip: added scores and basic implentation to create certs and issuers
Some checks failed
Run Check Script / check (pull_request) Failing after 50s
Details
2026-01-13 15:43:58 -05:00
wjro
2153edc68c feat(cert-manager): added crds for cert-manager 2026-01-13 14:05:10 -05:00
Jean-Gabriel Gill-Couture
1837623394 adr: 17-1 nats clusters interconnection using islands of trust. mTLS via shared ca-bundle with each cluster distributing its own CA.
Some checks failed
Run Check Script / check (pull_request) Failing after 51s
Details
2026-01-13 10:40:30 -05:00
Jean-Gabriel Gill-Couture
270b6b87df wip nats supercluster
Some checks failed
Run Check Script / check (pull_request) Failing after 51s
Details
2026-01-09 17:30:51 -05:00
Jean-Gabriel Gill-Couture
6933280575 feat(helm): refactor helm execution to use topology-specific commands
Some checks failed
Run Check Script / check (pull_request) Failing after 8s
Details 
Refactors the `HelmChartInterpret` to move away from the `helm-wrapper-rs` crate in favor of a custom command builder pattern. This allows the `HelmCommand` trait to provide topology-specific configurations, such as `kubeconfig` and `kube-context`, directly to the `helm` CLI.

- Implements `get_helm_command` for `K8sAnywhereTopology` to inject configuration flags.
- Replaces `DefaultHelmExecutor` with a manual `Command` construction in `run_helm_command`.
- Updates `HelmChartInterpret` to pass the topology through to repository and installation logic.
- Cleans up unused imports and removes the temporary `HelmCommand` implementation for `LocalhostTopology`.
 2026-01-08 23:42:54 -05:00
Jean-Gabriel Gill-Couture
77583a1ad1 wip: nats multi cluster, fixing helm command to follow multiple k8s config by providing the helm command from the topology itself, fix cli_logger that can now be initialized multiple times, some more stuff 2026-01-08 16:03:15 -05:00
wjro
f7404bed36 wip: initial setup for installing nats helm chart score 2026-01-07 16:14:58 -05:00
Ian Letourneau
b885c35706 Merge branch 'master' into doc-and-braindump 2025-11-13 23:46:39 +00:00
Ian Letourneau
bb6b4b7f88 docs: New docs structure & rustdoc for HostNetworkConfigScore
All checks were successful
Run Check Script / check (pull_request) Successful in 1m43s
Details
2025-11-13 18:42:26 -05:00
169 changed files with 15084 additions and 3813 deletions
Expand all files Collapse all files

6
.dockerignore
View File

@@ -1,2 +1,6 @@
target/
Dockerfile
Dockerfile
.git
data
target
demos

5
.gitignore vendored
View File

@@ -24,3 +24,8 @@ Cargo.lock
# MSVC Windows builds of rustc generate these, which store debugging information
*.pdb
.harmony_generated
# Useful to create ignore folders for temp files and notes
ignore

26
.sqlx/query-24f719d57144ecf4daa55f0aa5836c165872d70164401c0388e8d625f1b72d7b.json generated Normal file
View File

@@ -0,0 +1,26 @@
{
"db_name": "SQLite",
"query": "SELECT host_id, installation_device FROM host_role_mapping WHERE role = ?",
"describe": {
"columns": [
{
"name": "host_id",
"ordinal": 0,
"type_info": "Text"
},
{
"name": "installation_device",
"ordinal": 1,
"type_info": "Text"
}
],
"parameters": {
"Right": 1
},
"nullable": [
false,
true
]
},
"hash": "24f719d57144ecf4daa55f0aa5836c165872d70164401c0388e8d625f1b72d7b"
}

20
.sqlx/query-2ea29df2326f7c84bd4100ad510a3fd4878dc2e217dc83f9bf45a402dfd62a91.json generated
View File

@@ -1,20 +0,0 @@
{
"db_name": "SQLite",
"query": "SELECT host_id FROM host_role_mapping WHERE role = ?",
"describe": {
"columns": [
{
"name": "host_id",
"ordinal": 0,
"type_info": "Text"
}
],
"parameters": {
"Right": 1
},
"nullable": [
false
]
},
"hash": "2ea29df2326f7c84bd4100ad510a3fd4878dc2e217dc83f9bf45a402dfd62a91"
}

6
.sqlx/query-df7a7c9cfdd0972e2e0ce7ea444ba8bc9d708a4fb89d5593a0be2bbebde62aff.json → .sqlx/query-6fcc29cfdbdf3b2cee94a4844e227f09b245dd8f079832a9a7b774151cb03af6.json generated
View File

@@ -1,12 +1,12 @@
{
"db_name": "SQLite",
"query": "\n INSERT INTO host_role_mapping (host_id, role)\n VALUES (?, ?)\n ",
"query": "\n INSERT INTO host_role_mapping (host_id, role, installation_device)\n VALUES (?, ?, ?)\n ",
"describe": {
"columns": [],
"parameters": {
"Right": 2
"Right": 3
},
"nullable": []
},
"hash": "df7a7c9cfdd0972e2e0ce7ea444ba8bc9d708a4fb89d5593a0be2bbebde62aff"
"hash": "6fcc29cfdbdf3b2cee94a4844e227f09b245dd8f079832a9a7b774151cb03af6"
}

471
Cargo.lock generated
View File

@@ -243,7 +243,7 @@ checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75"
dependencies = [
"cfg-if",
"const-random",
"getrandom 0.3.3",
"getrandom 0.3.4",
"once_cell",
"version_check",
"zerocopy",
@@ -450,6 +450,43 @@ dependencies = [
"pin-project-lite",
]
[[package]]
name = "async-nats"
version = "0.45.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "86dde77d8a733a9dbaf865a9eb65c72e09c88f3d14d3dd0d2aecf511920ee4fe"
dependencies = [
"base64 0.22.1",
"bytes",
"futures-util",
"memchr",
"nkeys",
"nuid",
"once_cell",
"pin-project",
"portable-atomic",
"rand 0.8.5",
"regex",
"ring",
"rustls-native-certs 0.7.3",
"rustls-pemfile 2.2.0",
"rustls-webpki 0.102.8",
"serde",
"serde_json",
"serde_nanos",
"serde_repr",
"thiserror 1.0.69",
"time",
"tokio",
"tokio-rustls 0.26.2",
"tokio-stream",
"tokio-util",
"tokio-websockets",
"tracing",
"tryhard",
"url",
]
[[package]]
name = "async-stream"
version = "0.3.6"
@@ -686,6 +723,7 @@ dependencies = [
"regex",
"russh",
"russh-keys",
"schemars 0.8.22",
"serde",
"tokio",
]
@@ -774,6 +812,9 @@ name = "bytes"
version = "1.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
dependencies = [
"serde",
]
[[package]]
name = "bytestring"
@@ -875,6 +916,22 @@ dependencies = [
"shlex",
]
[[package]]
name = "cert_manager"
version = "0.1.0"
dependencies = [
"assert_cmd",
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_types",
"log",
"tokio",
"url",
]
[[package]]
name = "cfg-if"
version = "1.0.3"
@@ -1205,6 +1262,22 @@ dependencies = [
"winapi 0.3.9",
]
[[package]]
name = "crossterm"
version = "0.26.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a84cda67535339806297f1b331d6dd6320470d2a0fe65381e79ee9e156dd3d13"
dependencies = [
"bitflags 1.3.2",
"crossterm_winapi",
"libc",
"mio 0.8.11",
"parking_lot",
"signal-hook",
"signal-hook-mio",
"winapi 0.3.9",
]
[[package]]
name = "crossterm"
version = "0.28.1"
@@ -1550,6 +1623,7 @@ dependencies = [
"rand_core 0.6.4",
"serde",
"sha2",
"signature",
"subtle",
"zeroize",
]
@@ -1754,6 +1828,40 @@ dependencies = [
"url",
]
[[package]]
name = "example-k8s-drain-node"
version = "0.1.0"
dependencies = [
"assert_cmd",
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_types",
"inquire 0.7.5",
"log",
"tokio",
"url",
]
[[package]]
name = "example-k8s-write-file-on-node"
version = "0.1.0"
dependencies = [
"assert_cmd",
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_types",
"inquire 0.7.5",
"log",
"tokio",
"url",
]
[[package]]
name = "example-kube-rs"
version = "0.1.0"
@@ -1763,7 +1871,7 @@ dependencies = [
"harmony",
"harmony_macros",
"http 1.3.1",
"inquire",
"inquire 0.7.5",
"k8s-openapi",
"kube",
"log",
@@ -1826,24 +1934,6 @@ dependencies = [
"url",
]
[[package]]
name = "example-nanodc"
version = "0.1.0"
dependencies = [
"brocade",
"cidr",
"env_logger",
"harmony",
"harmony_macros",
"harmony_secret",
"harmony_tui",
"harmony_types",
"log",
"serde",
"tokio",
"url",
]
[[package]]
name = "example-nats"
version = "0.1.0"
@@ -1859,6 +1949,38 @@ dependencies = [
"url",
]
[[package]]
name = "example-nats-module-supercluster"
version = "0.1.0"
dependencies = [
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_types",
"k8s-openapi",
"log",
"tokio",
"url",
]
[[package]]
name = "example-nats-supercluster"
version = "0.1.0"
dependencies = [
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_types",
"k8s-openapi",
"log",
"tokio",
"url",
]
[[package]]
name = "example-ntfy"
version = "0.1.0"
@@ -1902,6 +2024,7 @@ dependencies = [
"harmony_secret_derive",
"harmony_types",
"log",
"schemars 0.8.22",
"serde",
"tokio",
"url",
@@ -1942,9 +2065,29 @@ dependencies = [
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_secret",
"harmony_tui",
"harmony_types",
"log",
"schemars 0.8.22",
"serde",
"tokio",
"url",
]
[[package]]
name = "example-opnsense-node-exporter"
version = "0.1.0"
dependencies = [
"async-trait",
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_secret",
"harmony_secret_derive",
"harmony_types",
"log",
"serde",
@@ -1982,25 +2125,6 @@ dependencies = [
"url",
]
[[package]]
name = "example-opnsense-node-exporter"
version = "0.1.0"
dependencies = [
"async-trait",
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_secret",
"harmony_secret_derive",
"harmony_types",
"log",
"serde",
"tokio",
"url",
]
[[package]]
name = "example-pxe"
version = "0.1.0"
@@ -2015,6 +2139,7 @@ dependencies = [
"harmony_secret_derive",
"harmony_types",
"log",
"schemars 0.8.22",
"serde",
"tokio",
"url",
@@ -2226,9 +2351,9 @@ dependencies = [
[[package]]
name = "fqdn"
version = "0.4.6"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c0f5d7f7b3eed2f771fc7f6fcb651f9560d7b0c483d75876082acb4649d266b3"
checksum = "886ac788f62d16d6b0f26b2fa762b34ef16ebfb4b624c2c15fbcadc9173c0f72"
dependencies = [
"punycode",
"serde",
@@ -2406,21 +2531,21 @@ dependencies = [
"cfg-if",
"js-sys",
"libc",
"wasi 0.11.1+wasi-snapshot-preview1",
"wasi",
"wasm-bindgen",
]
[[package]]
name = "getrandom"
version = "0.3.3"
version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4"
checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"r-efi",
"wasi 0.14.3+wasi-0.2.4",
"wasip2",
"wasm-bindgen",
]
@@ -2522,6 +2647,7 @@ dependencies = [
"env_logger",
"fqdn",
"futures-util",
"harmony_execution",
"harmony_inventory_agent",
"harmony_macros",
"harmony_secret",
@@ -2530,7 +2656,7 @@ dependencies = [
"helm-wrapper-rs",
"hex",
"http 1.3.1",
"inquire",
"inquire 0.7.5",
"k3d-rs",
"k8s-openapi",
"kube",
@@ -2562,12 +2688,50 @@ dependencies = [
"tempfile",
"thiserror 2.0.16",
"tokio",
"tokio-retry",
"tokio-util",
"url",
"uuid",
"walkdir",
]
[[package]]
name = "harmony_agent"
version = "0.1.0"
dependencies = [
"async-nats",
"async-trait",
"cidr",
"env_logger",
"getrandom 0.3.4",
"harmony",
"harmony_macros",
"harmony_types",
"log",
"pretty_assertions",
"serde",
"serde_json",
"thiserror 2.0.16",
"tokio",
]
[[package]]
name = "harmony_agent_deploy"
version = "0.1.0"
dependencies = [
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_types",
"log",
"serde",
"serde_json",
"tokio",
"url",
]
[[package]]
name = "harmony_cli"
version = "0.1.0"
@@ -2581,7 +2745,7 @@ dependencies = [
"harmony_tui",
"indicatif",
"indicatif-log-bridge",
"inquire",
"inquire 0.7.5",
"lazy_static",
"log",
"tokio",
@@ -2608,6 +2772,16 @@ dependencies = [
"tokio",
]
[[package]]
name = "harmony_execution"
version = "0.1.0"
dependencies = [
"directories",
"lazy_static",
"log",
"thiserror 2.0.16",
]
[[package]]
name = "harmony_inventory_agent"
version = "0.1.0"
@@ -2662,10 +2836,12 @@ dependencies = [
"harmony_secret_derive",
"http 1.3.1",
"infisical",
"inquire",
"inquire 0.7.5",
"interactive-parse",
"lazy_static",
"log",
"pretty_assertions",
"schemars 0.8.22",
"serde",
"serde_json",
"tempfile",
@@ -3330,6 +3506,22 @@ dependencies = [
"generic-array",
]
[[package]]
name = "inquire"
version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c33e7c1ddeb15c9abcbfef6029d8e29f69b52b6d6c891031b88ed91b5065803b"
dependencies = [
"bitflags 1.3.2",
"crossterm 0.25.0",
"dyn-clone",
"lazy_static",
"newline-converter 0.2.2",
"thiserror 1.0.69",
"unicode-segmentation",
"unicode-width 0.1.14",
]
[[package]]
name = "inquire"
version = "0.7.5"
@@ -3341,7 +3533,7 @@ dependencies = [
"dyn-clone",
"fuzzy-matcher",
"fxhash",
"newline-converter",
"newline-converter 0.3.0",
"once_cell",
"unicode-segmentation",
"unicode-width 0.1.14",
@@ -3360,6 +3552,22 @@ dependencies = [
"syn 2.0.106",
]
[[package]]
name = "interactive-parse"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "82c6684d66c9fd6b51cafbf2a9105583d5046dd4c6363f31745686f503a285e8"
dependencies = [
"crossterm 0.26.1",
"inquire 0.6.2",
"lazy_static",
"log",
"schemars 0.8.22",
"serde",
"serde_json",
"thiserror 1.0.69",
]
[[package]]
name = "io-uring"
version = "0.7.10"
@@ -3438,7 +3646,7 @@ version = "0.1.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
dependencies = [
"getrandom 0.3.3",
"getrandom 0.3.4",
"libc",
]
@@ -3878,7 +4086,7 @@ checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
dependencies = [
"libc",
"log",
"wasi 0.11.1+wasi-snapshot-preview1",
"wasi",
"windows-sys 0.48.0",
]
@@ -3890,7 +4098,7 @@ checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c"
dependencies = [
"libc",
"log",
"wasi 0.11.1+wasi-snapshot-preview1",
"wasi",
"windows-sys 0.59.0",
]
@@ -3919,6 +4127,15 @@ dependencies = [
"syn 1.0.109",
]
[[package]]
name = "newline-converter"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1f71d09d5c87634207f894c6b31b6a2b2c64ea3bdcf71bd5599fdbbe1600c00f"
dependencies = [
"unicode-segmentation",
]
[[package]]
name = "newline-converter"
version = "0.3.0"
@@ -3928,6 +4145,21 @@ dependencies = [
"unicode-segmentation",
]
[[package]]
name = "nkeys"
version = "0.4.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "879011babc47a1c7fdf5a935ae3cfe94f34645ca0cac1c7f6424b36fc743d1bf"
dependencies = [
"data-encoding",
"ed25519",
"ed25519-dalek",
"getrandom 0.2.16",
"log",
"rand 0.8.5",
"signatory",
]
[[package]]
name = "non-blank-string-rs"
version = "1.0.4"
@@ -3946,6 +4178,15 @@ dependencies = [
"winapi 0.3.9",
]
[[package]]
name = "nuid"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fc895af95856f929163a0aa20c26a78d26bfdc839f51b9d5aa7a5b79e52b7e83"
dependencies = [
"rand 0.8.5",
]
[[package]]
name = "num-bigint"
version = "0.4.6"
@@ -4566,7 +4807,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
dependencies = [
"bytes",
"getrandom 0.3.3",
"getrandom 0.3.4",
"lru-slab",
"rand 0.9.2",
"ring",
@@ -4671,7 +4912,7 @@ version = "0.9.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
dependencies = [
"getrandom 0.3.3",
"getrandom 0.3.4",
]
[[package]]
@@ -5207,6 +5448,16 @@ dependencies = [
"untrusted",
]
[[package]]
name = "rustls-webpki"
version = "0.102.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
dependencies = [
"rustls-pki-types",
"untrusted",
]
[[package]]
name = "rustls-webpki"
version = "0.103.4"
@@ -5470,6 +5721,15 @@ dependencies = [
"serde",
]
[[package]]
name = "serde_nanos"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a93142f0367a4cc53ae0fead1bcda39e85beccfad3dcd717656cacab94b12985"
dependencies = [
"serde",
]
[[package]]
name = "serde_path_to_error"
version = "0.1.17"
@@ -5637,6 +5897,18 @@ dependencies = [
"libc",
]
[[package]]
name = "signatory"
version = "0.27.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c1e303f8205714074f6068773f0e29527e0453937fe837c9717d066635b65f31"
dependencies = [
"pkcs8",
"rand_core 0.6.4",
"signature",
"zeroize",
]
[[package]]
name = "signature"
version = "2.2.0"
@@ -6062,6 +6334,26 @@ dependencies = [
"syn 2.0.106",
]
[[package]]
name = "sttest"
version = "0.1.0"
dependencies = [
"brocade",
"cidr",
"env_logger",
"harmony",
"harmony_cli",
"harmony_macros",
"harmony_secret",
"harmony_secret_derive",
"harmony_types",
"log",
"schemars 0.8.22",
"serde",
"tokio",
"url",
]
[[package]]
name = "subtle"
version = "2.6.1"
@@ -6200,7 +6492,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "15b61f8f20e3a6f7e0649d825294eaf317edce30f82cf6026e7e4cb9222a7d1e"
dependencies = [
"fastrand",
"getrandom 0.3.3",
"getrandom 0.3.4",
"once_cell",
"rustix 1.0.8",
"windows-sys 0.60.2",
@@ -6356,6 +6648,17 @@ dependencies = [
"syn 2.0.106",
]
[[package]]
name = "tokio-retry"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f57eb36ecbe0fc510036adff84824dd3c24bb781e21bfa67b69d556aa85214f"
dependencies = [
"pin-project",
"rand 0.8.5",
"tokio",
]
[[package]]
name = "tokio-rustls"
version = "0.24.1"
@@ -6413,6 +6716,27 @@ dependencies = [
"tokio",
]
[[package]]
name = "tokio-websockets"
version = "0.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f591660438b3038dd04d16c938271c79e7e06260ad2ea2885a4861bfb238605d"
dependencies = [
"base64 0.22.1",
"bytes",
"futures-core",
"futures-sink",
"http 1.3.1",
"httparse",
"rand 0.8.5",
"ring",
"rustls-pki-types",
"tokio",
"tokio-rustls 0.26.2",
"tokio-util",
"webpki-roots 0.26.11",
]
[[package]]
name = "toml"
version = "0.8.23"
@@ -6564,6 +6888,16 @@ version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
[[package]]
name = "tryhard"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9fe58ebd5edd976e0fe0f8a14d2a04b7c81ef153ea9a54eebc42e67c2c23b4e5"
dependencies = [
"pin-project-lite",
"tokio",
]
[[package]]
name = "tui-logger"
version = "0.14.5"
@@ -6740,7 +7074,7 @@ version = "1.18.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2f87b8aa10b915a06587d0dec516c282ff295b475d94abf425d62b57710070a2"
dependencies = [
"getrandom 0.3.3",
"getrandom 0.3.4",
"js-sys",
"rand 0.9.2",
"uuid-macro-internal",
@@ -6811,10 +7145,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
[[package]]
name = "wasi"
version = "0.14.3+wasi-0.2.4"
name = "wasip2"
version = "1.0.2+wasi-0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6a51ae83037bdd272a9e28ce236db8c07016dd0d50c27038b3f407533c030c95"
checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
dependencies = [
"wit-bindgen",
]
@@ -6936,6 +7270,15 @@ version = "0.25.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1"
[[package]]
name = "webpki-roots"
version = "0.26.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9"
dependencies = [
"webpki-roots 1.0.2",
]
[[package]]
name = "webpki-roots"
version = "1.0.2"
@@ -7313,9 +7656,9 @@ dependencies = [
[[package]]
name = "wit-bindgen"
version = "0.45.0"
version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "052283831dbae3d879dc7f51f3d92703a316ca49f91540417d38591826127814"
checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
[[package]]
name = "writeable"
@@ -7357,7 +7700,7 @@ checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
[[package]]
name = "yaserde"
version = "0.12.0"
source = "git+https://github.com/jggc/yaserde.git#adfdb1c5f4d054f114e5bd0ea7bda9c07a369def"
source = "git+https://github.com/jggc/yaserde.git#2eacb304113beee7270a10b81046d40ed3a99550"
dependencies = [
"log",
"xml-rs",
@@ -7366,7 +7709,7 @@ dependencies = [
[[package]]
name = "yaserde_derive"
version = "0.12.0"
source = "git+https://github.com/jggc/yaserde.git#adfdb1c5f4d054f114e5bd0ea7bda9c07a369def"
source = "git+https://github.com/jggc/yaserde.git#2eacb304113beee7270a10b81046d40ed3a99550"
dependencies = [
"heck",
"log",

4
Cargo.toml
View File

@@ -7,6 +7,7 @@ members = [
"harmony_types",
"harmony_macros",
"harmony_tui",
"harmony_execution",
"opnsense-config",
"opnsense-config-xml",
"harmony_cli",
@@ -17,6 +18,8 @@ members = [
"harmony_secret",
"adr/agent_discovery/mdns",
"brocade",
"harmony_agent",
"harmony_agent/deploy",
]
[workspace.package]
@@ -49,6 +52,7 @@ kube = { version = "1.1.0", features = [
"jsonpatch",
] }
k8s-openapi = { version = "0.25", features = ["v1_30"] }
# TODO replace with https://github.com/bourumir-wyngs/serde-saphyr as serde_yaml is deprecated https://github.com/sebastienrousseau/serde_yml
serde_yaml = "0.9"
serde-value = "0.7"
http = "1.2"

89
README.md
View File

@@ -1,4 +1,8 @@
# Harmony : Open-source infrastructure orchestration that treats your platform like first-class code
# Harmony
Open-source infrastructure orchestration that treats your platform like first-class code.
In other words, Harmony is a **next-generation platform engineering framework**.
_By [NationTech](https://nationtech.io)_
@@ -18,9 +22,7 @@ All in **one strongly-typed Rust codebase**.
From a **developer laptop** to a **global production cluster**, a single **source of truth** drives the **full software lifecycle.**
---
## 1 · The Harmony Philosophy
## The Harmony Philosophy
Infrastructure is essential, but it shouldnt be your core business. Harmony is built on three guiding principles that make modern platforms reliable, repeatable, and easy to reason about.
@@ -32,9 +34,18 @@ Infrastructure is essential, but it shouldnt be your core business. Harmony i
These principles surface as simple, ergonomic Rust APIs that let teams focus on their product while trusting the platform underneath.
---
## Where to Start
## 2 · Quick Start
We have a comprehensive set of documentation right here in the repository.
| I want to... | Start Here |
| ----------------- | ------------------------------------------------------------------ |
| Get Started | [Getting Started Guide](./docs/guides/getting-started.md) |
| See an Example | [Use Case: Deploy a Rust Web App](./docs/use-cases/rust-webapp.md) |
| Explore | [Documentation Hub](./docs/README.md) |
| See Core Concepts | [Core Concepts Explained](./docs/concepts.md) |
## Quick Look: Deploy a Rust Webapp
The snippet below spins up a complete **production-grade Rust + Leptos Webapp** with monitoring. Swap it for your own scores to deploy anything from microservices to machine-learning pipelines.
@@ -92,63 +103,33 @@ async fn main() {
}
```
Run it:
To run this:
```bash
cargo run
```
- Clone the repository: `git clone https://git.nationtech.io/nationtech/harmony`
- Install dependencies: `cargo build --release`
- Run the example: `cargo run --example try_rust_webapp`
Harmony analyses the code, shows an execution plan in a TUI, and applies it once you confirm. Same code, same binary—every environment.
## Documentation
---
All documentation is in the `/docs` directory.
## 3 · Core Concepts
- [Documentation Hub](./docs/README.md): The main entry point for all documentation.
- [Core Concepts](./docs/concepts.md): A detailed look at Score, Topology, Capability, Inventory, and Interpret.
- [Component Catalogs](./docs/catalogs/README.md): Discover all available Scores, Topologies, and Capabilities.
- [Developer Guide](./docs/guides/developer-guide.md): Learn how to write your own Scores and Topologies.
| Term | One-liner |
| ---------------- | ---------------------------------------------------------------------------------------------------- |
| **Score<T>** | Declarative description of the desired state (e.g., `LAMPScore`). |
| **Interpret<T>** | Imperative logic that realises a `Score` on a specific environment. |
| **Topology** | An environment (local k3d, AWS, bare-metal) exposing verified _Capabilities_ (Kubernetes, DNS, …). |
| **Maestro** | Orchestrator that compiles Scores + Topology, ensuring all capabilities line up **at compile-time**. |
| **Inventory** | Optional catalogue of physical assets for bare-metal and edge deployments. |
## Architectural Decision Records
A visual overview is in the diagram below.
- [ADR-001 · Why Rust](adr/001-rust.md)
- [ADR-003 · Infrastructure Abstractions](adr/003-infrastructure-abstractions.md)
- [ADR-006 · Secret Management](adr/006-secret-management.md)
- [ADR-011 · Multi-Tenant Cluster](adr/011-multi-tenant-cluster.md)
[Harmony Core Architecture](docs/diagrams/Harmony_Core_Architecture.drawio.svg)
## Contribute
---
Discussions and roadmap live in [Issues](https://git.nationtech.io/nationtech/harmony/-/issues). PRs, ideas, and feedback are welcome!
## 4 · Install
Prerequisites:
- Rust
- Docker (if you deploy locally)
- `kubectl` / `helm` for Kubernetes-based topologies
```bash
git clone https://git.nationtech.io/nationtech/harmony
cd harmony
cargo build --release # builds the CLI, TUI and libraries
```
---
## 5 · Learning More
- **Architectural Decision Records** dive into the rationale
- [ADR-001 · Why Rust](adr/001-rust.md)
- [ADR-003 · Infrastructure Abstractions](adr/003-infrastructure-abstractions.md)
- [ADR-006 · Secret Management](adr/006-secret-management.md)
- [ADR-011 · Multi-Tenant Cluster](adr/011-multi-tenant-cluster.md)
- **Extending Harmony** write new Scores / Interprets, add hardware like OPNsense firewalls, or embed Harmony in your own tooling (`/docs`).
- **Community** discussions and roadmap live in [GitLab issues](https://git.nationtech.io/nationtech/harmony/-/issues). PRs, ideas, and feedback are welcome!
---
## 6 · License
## License
Harmony is released under the **GNU AGPL v3**.

189
adr/017-1-Nats-Clusters-Interconnection-Topology.md Normal file
View File

@@ -0,0 +1,189 @@
### 1. ADR 017-1: NATS Cluster Interconnection & Trust Topology
# Architecture Decision Record: NATS Cluster Interconnection & Trust Topology
**Status:** Proposed
**Date:** 2026-01-12
**Precedes:** [017-Staleness-Detection-for-Failover.md]
## Context
In ADR 017, we defined the failover mechanisms for the Harmony mesh. However, for a Primary (Site A) and a Replica (Site B) to communicate securely—or for the Global Mesh to function across disparate locations—we must establish a robust Transport Layer Security (TLS) strategy.
Our primary deployment platform is OKD (Kubernetes). While OKD provides an internal `service-ca`, it is designed primarily for intra-cluster service-to-service communication. It lacks the flexibility required for:
1. **Public/External Gateway Identities:** NATS Gateways need to identify themselves via public DNS names or external IPs, not just internal `.svc` cluster domains.
2. **Cross-Cluster Trust:** We need a mechanism to allow Cluster A to trust Cluster B without sharing a single private root key.
## Decision
We will implement an **"Islands of Trust"** topology using **cert-manager** on OKD.
### 1. Per-Cluster Certificate Authorities (CA)
* We explicitly **reject** the use of a single "Supercluster CA" shared across all sites.
* Instead, every Harmony Cluster (Site A, Site B, etc.) will generate its own unique Self-Signed Root CA managed by `cert-manager` inside that cluster.
* **Lifecycle:** Root CAs will have a long duration (e.g., 10 years) to minimize rotation friction, while Leaf Certificates (NATS servers) will remain short-lived (e.g., 90 days) and rotate automatically.
> Note : The decision to have a single CA for various workloads managed by Harmony on each deployment, or to have multiple CA for each service that requires interconnection is not made yet. This ADR leans towards one CA per service. This allows for maximum flexibility. But the direction might change and no clear decision has been made yet. The alternative of establishing that each cluster/harmony deployment has a single identity could make mTLS very simple between tenants.
### 2. Trust Federation via Bundle Exchange
To enable secure communication (mTLS) between clusters (e.g., for NATS Gateways or Leaf Nodes):
* **No Private Keys are shared.**
* We will aggregate the **Public CA Certificates** of all trusted clusters into a shared `ca-bundle.pem`.
* This bundle is distributed to the NATS configuration of every node.
* **Verification Logic:** When Site A connects to Site B, Site A verifies Site B's certificate against the bundle. Since Site B's CA public key is in the bundle, the connection is accepted.
### 3. Tooling
* We will use **cert-manager** (deployed via Operator on OKD) rather than OKD's built-in `service-ca`. This provides us with standard CRDs (`Issuer`, `Certificate`) to manage the lifecycle, rotation, and complex SANs (Subject Alternative Names) required for external connectivity.
* Harmony will manage installation, configuration and bundle creation across all sites
## Rationale
**Security Blast Radius (The "Key Leak" Scenario)**
If we used a single global CA and the private key for Site A was compromised (e.g., physical theft of a server from a basement), the attacker could impersonate *any* site in the global mesh.
By using Per-Cluster CAs:
* If Site A is compromised, only Site A's identity is stolen.
* We can "evict" Site A from the mesh simply by removing Site A's Public CA from the `ca-bundle.pem` on the remaining healthy clusters and reloading. The attacker can no longer authenticate.
**Decentralized Autonomy**
This aligns with the "Humane Computing" vision. A local cluster owns its identity. It does not depend on a central authority to issue its certificates. It can function in isolation (offline) indefinitely without needing to "phone home" to renew credentials.
## Consequences
**Positive**
* **High Security:** Compromise of one node does not compromise the global mesh.
* **Flexibility:** Easier to integrate with third-party clusters or partners by simply adding their public CA to the bundle.
* **Standardization:** `cert-manager` is the industry standard, making the configuration portable to non-OKD K8s clusters if needed.
**Negative**
* **Configuration Complexity:** We must manage a mechanism to distribute the `ca-bundle.pem` containing public keys to all sites. This should be automated (e.g., via a Harmony Agent) to ensure timely updates and revocation.
* **Revocation Latency:** Revoking a compromised cluster requires updating and reloading the bundle on all other clusters. This is slower than OCSP/CRL but acceptable for infrastructure-level trust if automation is in place.
---
# 2. Concrete overview of the process, how it can be implemented manually across multiple OKD clusters
All of this will be automated via Harmony, but to understand correctly the process it is outlined in details here :
## 1. Deploying and Configuring cert-manager on OKD
While OKD has a built-in `service-ca` controller, it is "opinionated" and primarily signs certs for internal services (like `my-svc.my-namespace.svc`). It is **not suitable** for the Harmony Global Mesh because you cannot easily control the Subject Alternative Names (SANs) for external routes (e.g., `nats.site-a.nationtech.io`), nor can you easily export its CA to other clusters.
**The Solution:** Use the **cert-manager Operator for Red Hat OpenShift**.
### Step 1: Install the Operator
1. Log in to the OKD Web Console.
2. Navigate to **Operators** -> **OperatorHub**.
3. Search for **"cert-manager"**.
4. Choose the **"cert-manager Operator for Red Hat OpenShift"** (Red Hat provided) or the community version.
5. Click **Install**. Use the default settings (Namespace: `cert-manager-operator`).
### Step 2: Create the "Island" CA (The Issuer)
Once installed, you define your cluster's unique identity. Apply this YAML to your NATS namespace.
```yaml
# filepath: k8s/01-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: harmony-selfsigned-issuer
namespace: harmony-nats
spec:
selfSigned: {}
---
# This generates the unique Root CA for THIS specific cluster
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: harmony-root-ca
namespace: harmony-nats
spec:
isCA: true
commonName: "harmony-site-a-ca" # CHANGE THIS per cluster (e.g., site-b-ca)
duration: 87600h # 10 years
renewBefore: 2160h # 3 months before expiry
secretName: harmony-root-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: harmony-selfsigned-issuer
kind: Issuer
group: cert-manager.io
---
# This Issuer uses the Root CA generated above to sign NATS certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: harmony-ca-issuer
namespace: harmony-nats
spec:
ca:
secretName: harmony-root-ca-secret
```
### Step 3: Generate the NATS Server Certificate
This certificate will be used by the NATS server. It includes both internal DNS names (for local clients) and external DNS names (for the global mesh).
```yaml
# filepath: k8s/02-nats-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nats-server-cert
namespace: harmony-nats
spec:
secretName: nats-server-tls
duration: 2160h # 90 days
renewBefore: 360h # 15 days
issuerRef:
name: harmony-ca-issuer
kind: Issuer
# CRITICAL: Define all names this server can be reached by
dnsNames:
- "nats"
- "nats.harmony-nats.svc"
- "nats.harmony-nats.svc.cluster.local"
- "*.nats.harmony-nats.svc.cluster.local"
- "nats-gateway.site-a.nationtech.io" # External Route for Mesh
```
## 2. Implementing the "Islands of Trust" (Trust Bundle)
To make Site A and Site B talk, you need to exchange **Public Keys**.
1. **Extract Public CA from Site A:**
```bash
oc get secret harmony-root-ca-secret -n harmony-nats -o jsonpath='{.data.ca\.crt}' | base64 -d > site-a.crt
```
2. **Extract Public CA from Site B:**
```bash
oc get secret harmony-root-ca-secret -n harmony-nats -o jsonpath='{.data.ca\.crt}' | base64 -d > site-b.crt
```
3. **Create the Bundle:**
Combine them into one file.
```bash
cat site-a.crt site-b.crt > ca-bundle.crt
```
4. **Upload Bundle to Both Clusters:**
Create a ConfigMap or Secret in *both* clusters containing this combined bundle.
```bash
oc create configmap nats-trust-bundle --from-file=ca.crt=ca-bundle.crt -n harmony-nats
```
5. **Configure NATS:**
Mount this ConfigMap and point NATS to it.
```conf
# nats.conf snippet
tls {
cert_file: "/etc/nats-certs/tls.crt"
key_file: "/etc/nats-certs/tls.key"
# Point to the bundle containing BOTH Site A and Site B public CAs
ca_file: "/etc/nats-trust/ca.crt"
}
```
This setup ensures that Site A can verify Site B's certificate (signed by `harmony-site-b-ca`) because Site B's CA is in Site A's trust store, and vice versa, without ever sharing the private keys that generated them.

141
adr/018-Template-Hydration-For-Workload-Deployment.md Normal file
View File

@@ -0,0 +1,141 @@
# Architecture Decision Record: Template Hydration for Kubernetes Manifest Generation
Initial Author: Jean-Gabriel Gill-Couture & Sylvain Tremblay
Initial Date: 2025-01-23
Last Updated Date: 2025-01-23
## Status
Implemented
## Context
Harmony's philosophy is built on three guiding principles: Infrastructure as Resilient Code, Prove It Works — Before You Deploy, and One Unified Model. Our goal is to shift validation and verification as left as possible—ideally to compile time—rather than discovering errors at deploy time.
After investigating a few approaches such as compile-checked Askama templates to generate Kubernetes manifests for Helm charts, we found again that this approach suffered from several fundamental limitations:
* **Late Validation:** Typos in template syntax or field names are only discovered at deployment time, not during compilation. A mistyped `metadata.name` won't surface until Helm attempts to render the template.
* **Brittle Maintenance:** Templates are string-based with limited IDE support. Refactoring requires grep-and-replace across YAML-like template files, risking subtle breakage.
* **Hard-to-Test Logic:** Testing template output requires mocking the template engine and comparing serialized strings rather than asserting against typed data structures.
* **No Type Safety:** There is no guarantee that the generated YAML will be valid Kubernetes resources without runtime validation.
We also faced a strategic choice around Helm: use it as both *templating engine* and *packaging mechanism*, or decouple these concerns. While Helm's ecosystem integration (Harbor, ArgoCD, OCI registry support) is valuable, the Jinja-like templating is at odds with Harmony's "code-first" ethos.
## Decision
We will adopt the **Template Hydration Pattern**—constructing Kubernetes manifests programmatically using strongly-typed `kube-rs` objects, then serializing them to YAML files for packaging into Helm charts.
Specifically:
* **Write strongly typed `k8s_openapi` Structs:** All Kubernetes resources (Deployment, Service, ConfigMap, etc.) will be constructed using the typed structs generated by `k8s_openapi`.
* **Direct Serialization to YAML:** Rather than rendering templates, we use `serde_yaml::to_string()` to serialize typed objects directly into YAML manifests. This way, YAML is only used as a data-transfer format and not a templating/programming language - which it is not.
* **Helm as Packaging-Only:** Helm's role is reduced to packaging pre-rendered templates into a tarball and pushing to OCI registries. No template rendering logic resides within Helm.
* **Ecosystem Preservation:** The generated Helm charts remain fully compatible with Harbor, ArgoCD, and any Helm-compatible tool—the only difference is that the `templates/` directory contains static YAML files.
The implementation in `backend_app.rs` demonstrates this pattern:
```rust
let deployment = Deployment {
metadata: ObjectMeta {
name: Some(self.name.clone()),
labels: Some([("app.kubernetes.io/name".to_string(), self.name.clone())].into()),
..Default::default()
},
spec: Some(DeploymentSpec { /* ... */ }),
..Default::default()
};
let deployment_yaml = serde_yaml::to_string(&deployment)?;
fs::write(templates_dir.join("deployment.yaml"), deployment_yaml)?;
```
## Rationale
**Aligns with "Infrastructure as Resilient Code"**
Harmony's first principle states that infrastructure should be treated like application code. By expressing Kubernetes manifests as Rust structs, we gain:
* **Refactorability:** Rename a label and the compiler catches all usages.
* **IDE Support:** Autocomplete for all Kubernetes API fields; documentation inline.
* **Code Navigation:** Jump to definition shows exactly where a value comes from.
**Achieves "Prove It Works — Before You Deploy"**
The compiler now validates that:
* All required fields are populated (Rust's `Option` type prevents missing fields).
* Field types match expectations (ports are integers, not strings).
* Enums contain valid values (e.g., `ServiceType::ClusterIP`).
This moves what was runtime validation into compile-time checks, fulfilling the "shift left" promise.
**Enables True Unit Testing**
Developers can now write unit tests that assert directly against typed objects:
```rust
let deployment = create_deployment(&app);
assert_eq!(deployment.spec.unwrap().replicas.unwrap(), 3);
assert_eq!(deployment.metadata.name.unwrap(), "my-app");
```
No string parsing, no YAML serialization, no fragile assertions against rendered output.
**Preserves Ecosystem Benefits**
By generating standard Helm chart structures, Harmony retains compatibility with:
* **OCI Registries (Harbor, GHCR):** `helm push` works exactly as before.
* **ArgoCD:** Syncs and manages releases using the generated charts.
* **Existing Workflows:** Teams already consuming Helm charts see no change.
The Helm tarball becomes a "dumb pipe" for transport, which is arguably its ideal role.
## Consequences
### Positive
* **Compile-Time Safety:** A broad class of errors (typos, missing fields, type mismatches) is now caught at build time.
* **Better Developer Experience:** IDE autocomplete, inline documentation, and refactor support significantly reduce the learning curve for Kubernetes manifests.
* **Testability:** Unit tests can validate manifest structure without integration or runtime checks.
* **Auditability:** The source-of-truth for manifests is now pure Rust—easier to review in pull requests than template logic scattered across files.
* **Future-Extensibility:** CustomResources (CRDs) can be supported via `kopium`-generated Rust types, maintaining the same strong typing.
### Negative
* **API Schema Drift:** Kubernetes API changes require regenerating `k8s_openapi` types and updating code. A change in a struct field will cause the build to fail—intentionally, but still requiring the pipeline to be updated.
* **Verbosity:** Typed construction is more verbose than the equivalent template. Builder patterns or helper functions will be needed to keep code readable.
* **Learning Curve:** Contributors must understand both the Kubernetes resource spec *and* the Rust type system, rather than just YAML.
* **Debugging Shift:** When debugging generated YAML, you now trace through Rust code rather than template files—more precise but different mental model.
## Alternatives Considered
### 1. Enhance Askama with Compile-Time Validation
*Pros:* Stay within familiar templating paradigm; minimal code changes.
*Cons:* Rust's type system cannot fully express Kubernetes schema validation without significant macro boilerplate. Errors would still surface at template evaluation time, not compilation.
### 2. Use Helm SDK Programmatically (Go)
*Pros:* Direct access to Helm's template engine; no YAML serialization step.
*Cons:* Would introduce a second language (Go) into a Rust codebase, increasing cognitive load and compilation complexity. No improvement in compile-time safety.
### 3. Raw YAML String Templating (Manual)
*Pros:* Maximum control; no external dependencies.
*Cons:* Even more error-prone than Askama; no structure validation; string concatenation errors abound.
### 4. Use Kustomize for All Manifests
*Pros:* Declarative overlays; standard tool.
*Cons:* Kustomize is itself a layer over YAML templates with its own DSL. It does not provide compile-time type safety and would require externalizing manifest management outside Harmony's codebase.
__Note that this template hydration architecture still allows to override templates with tools like kustomize when required__
## Additional Notes
**Scalability to Future Topologies**
The Template Hydration pattern enables future Harmony architectures to generate manifests dynamically based on topology context. For example, a `CostTopology` might adjust resource requests based on cluster pricing, manipulating the typed `Deployment::spec` directly before serialization.
**Implementation Status**
As of this writing, the pattern is implemented for `BackendApp` deployments (`backend_app.rs`). The next phase is to extend this pattern across all application modules (`webapp.rs`, etc.) and to standardize on this approach for any new implementations.

65
adr/019-Network-bond-setup.md Normal file
View File

@@ -0,0 +1,65 @@
# Architecture Decision Record: Network Bonding Configuration via External Automation
Initial Author: Jean-Gabriel Gill-Couture & Sylvain Tremblay
Initial Date: 2026-02-13
Last Updated Date: 2026-02-13
## Status
Accepted
## Context
We need to configure LACP bonds on 10GbE interfaces across all worker nodes in the OpenShift cluster. A significant challenge is that interface names (e.g., `enp1s0f0` vs `ens1f0`) vary across different hardware nodes.
The standard OpenShift mechanism (MachineConfig) applies identical configurations to all nodes in a MachineConfigPool. Since the interface names differ, a single static MachineConfig cannot target specific physical devices across the entire cluster without complex workarounds.
## Decision
We will use the existing "Harmony" automation tool to generate and apply host-specific NetworkManager configuration files directly to the nodes.
1. Harmony will generate the specific `.nmconnection` files for the bond and slaves based on its inventory of interface names.
2. Files will be pushed to `/etc/NetworkManager/system-connections/` on each node.
3. Configuration will be applied via `nmcli` reload or a node reboot.
## Rationale
* **Inventory Awareness:** Harmony already possesses the specific interface mapping data for each host.
* **Persistence:** Fedora CoreOS/SCOS allows writing to `/etc`, and these files persist across reboots and OS upgrades (rpm-ostree updates).
* **Avoids Complexity:** This approach avoids the operational overhead of creating unique MachineConfigPools for every single host or hardware variant.
* **Safety:** Unlike wildcard matching, this ensures explicit interface selection, preventing accidental bonding of reserved interfaces (e.g., future separation of Ceph storage traffic).
## Consequences
**Pros:**
* Precise, per-host configuration without polluting the Kubernetes API with hundreds of MachineConfigs.
* Standard Linux networking behavior; easy to debug locally.
* Prevents accidental interface capture (unlike wildcards).
**Cons:**
* **Loss of Declarative K8s State:** The network config is not managed by the Machine Config Operator (MCO).
* **Node Replacement Friction:** Newly provisioned nodes (replacements) will boot with default config. Harmony must be run against new nodes manually or via a hook before they can fully join the cluster workload.
## Alternatives considered
1. **Wildcard Matching in NetworkManager (e.g., `interface-name=enp*`):**
* *Pros:* Single MachineConfig for the whole cluster.
* *Cons:* Rejected because it is too broad. It risks capturing interfaces intended for other purposes (e.g., splitting storage and cluster networks later).
2. **"Kitchen Sink" Configuration:**
* *Pros:* Single file listing every possible interface name as a slave.
* *Cons:* "Dirty" configuration; results in many inactive connections on every host; brittle if new naming schemes appear.
3. **Per-Host MachineConfig:**
* *Pros:* Fully declarative within OpenShift.
* *Cons:* Requires a unique `MachineConfigPool` per host, which is an anti-pattern and unmaintainable at scale.
4. **On-boot Generation Script:**
* *Pros:* Dynamic detection.
* *Cons:* Increases boot complexity; harder to debug if the script fails during startup.
## Additional Notes
While `/etc` is writable and persistent on CoreOS, this configuration falls outside the "Day 1" Ignition process. Operational runbooks must be updated to ensure Harmony runs on any node replacement events.

1
brocade/Cargo.toml
View File

@@ -16,3 +16,4 @@ env_logger.workspace = true
regex = "1.11.3"
harmony_secret = { path = "../harmony_secret" }
serde.workspace = true
schemars = "0.8"

17
brocade/examples/main.rs
View File

@@ -3,9 +3,10 @@ use std::net::{IpAddr, Ipv4Addr};
use brocade::{BrocadeOptions, ssh};
use harmony_secret::{Secret, SecretManager};
use harmony_types::switch::PortLocation;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
#[derive(Secret, Clone, Debug, Serialize, Deserialize)]
#[derive(Secret, Clone, Debug, JsonSchema, Serialize, Deserialize)]
struct BrocadeSwitchAuth {
username: String,
password: String,
@@ -20,17 +21,15 @@ async fn main() {
// let ip = IpAddr::V4(Ipv4Addr::new(192, 168, 4, 11)); // brocade @ st
let switch_addresses = vec![ip];
// let config = SecretManager::get_or_prompt::<BrocadeSwitchAuth>()
// .await
// .unwrap();
let config = SecretManager::get_or_prompt::<BrocadeSwitchAuth>()
.await
.unwrap();
let brocade = brocade::init(
&switch_addresses,
// &config.username,
// &config.password,
"admin",
"password",
BrocadeOptions {
&config.username,
&config.password,
&BrocadeOptions {
dry_run: true,
ssh: ssh::SshOptions {
port: 2222,

2
brocade/src/lib.rs
View File

@@ -144,7 +144,7 @@ pub async fn init(
ip_addresses: &[IpAddr],
username: &str,
password: &str,
options: BrocadeOptions,
options: &BrocadeOptions,
) -> Result<Box<dyn BrocadeClient + Send + Sync>, Error> {
let shell = BrocadeShell::init(ip_addresses, username, password, options).await?;

2
brocade/src/shell.rs
View File

@@ -28,7 +28,7 @@ impl BrocadeShell {
ip_addresses: &[IpAddr],
username: &str,
password: &str,
options: BrocadeOptions,
options: &BrocadeOptions,
) -> Result<Self, Error> {
let ip = ip_addresses
.first()

2
brocade/src/ssh.rs
View File

@@ -70,7 +70,7 @@ pub async fn try_init_client(
username: &str,
password: &str,
ip: &std::net::IpAddr,
base_options: BrocadeOptions,
base_options: &BrocadeOptions,
) -> Result<BrocadeOptions, Error> {
let mut default = SshOptions::default();
default.port = base_options.ssh.port;

34
docs/README.md
View File

@@ -1 +1,33 @@
Not much here yet, see the `adr` folder for now. More to come in time!
# Harmony Documentation Hub
Welcome to the Harmony documentation. This is the main entry point for learning everything from core concepts to building your own Score, Topologies, and Capabilities.
## 1. Getting Started
If you're new to Harmony, start here:
- [**Getting Started Guide**](./guides/getting-started.md): A step-by-step tutorial that takes you from an empty project to deploying your first application.
- [**Core Concepts**](./concepts.md): A high-level overview of the key concepts in Harmony: `Score`, `Topology`, `Capability`, `Inventory`, `Interpret`, ...
## 2. Use Cases & Examples
See how to use Harmony to solve real-world problems.
- [**OKD on Bare Metal**](./use-cases/okd-on-bare-metal.md): A detailed walkthrough of bootstrapping a high-availability OKD cluster from physical hardware.
- [**Deploy a Rust Web App**](./use-cases/deploy-rust-webapp.md): A quick guide to deploying a monitored, containerized web application to a Kubernetes cluster.
## 3. Component Catalogs
Discover existing, reusable components you can use in your Harmony projects.
- [**Scores Catalog**](./catalogs/scores.md): A categorized list of all available `Scores` (the "what").
- [**Topologies Catalog**](./catalogs/topologies.md): A list of all available `Topologies` (the "where").
- [**Capabilities Catalog**](./catalogs/capabilities.md): A list of all available `Capabilities` (the "how").
## 4. Developer Guides
Ready to build your own components? These guides show you how.
- [**Writing a Score**](./guides/writing-a-score.md): Learn how to create your own `Score` and `Interpret` logic to define a new desired state.
- [**Writing a Topology**](./guides/writing-a-topology.md): Learn how to model a new environment (like AWS, GCP, or custom hardware) as a `Topology`.
- [**Adding Capabilities**](./guides/adding-capabilities.md): See how to add a `Capability` to your custom `Topology`.

7
docs/catalogs/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Component Catalogs
This section is the "dictionary" for Harmony. It lists all the reusable components available out-of-the-box.
- [**Scores Catalog**](./scores.md): Discover all available `Scores` (the "what").
- [**Topologies Catalog**](./topologies.md): A list of all available `Topologies` (the "where").
- [**Capabilities Catalog**](./capabilities.md): A list of all available `Capabilities` (the "how").

40
docs/catalogs/capabilities.md Normal file
View File

@@ -0,0 +1,40 @@
# Capabilities Catalog
A `Capability` is a specific feature or API that a `Topology` offers. `Interpret` logic uses these capabilities to execute a `Score`.
This list is primarily for developers **writing new Topologies or Scores**. As a user, you just need to know that the `Topology` you pick (like `K8sAnywhereTopology`) provides the capabilities your `Scores` (like `ApplicationScore`) need.
<!--toc:start-->
- [Capabilities Catalog](#capabilities-catalog)
- [Kubernetes & Application](#kubernetes-application)
- [Monitoring & Observability](#monitoring-observability)
- [Networking (Core Services)](#networking-core-services)
- [Networking (Hardware & Host)](#networking-hardware-host)
<!--toc:end-->
## Kubernetes & Application
- **K8sClient**: Provides an authenticated client to interact with a Kubernetes API (create/read/update/delete resources).
- **HelmCommand**: Provides the ability to execute Helm commands (install, upgrade, template).
- **TenantManager**: Provides methods for managing tenants in a multi-tenant cluster.
- **Ingress**: Provides an interface for managing ingress controllers and resources.
## Monitoring & Observability
- **Grafana**: Provides an API for configuring Grafana (datasources, dashboards).
- **Monitoring**: A general capability for configuring monitoring (e.g., creating Prometheus rules).
## Networking (Core Services)
- **DnsServer**: Provides an interface for creating and managing DNS records.
- **LoadBalancer**: Provides an interface for configuring a load balancer (e.g., OPNsense, MetalLB).
- **DhcpServer**: Provides an interface for managing DHCP leases and host bindings.
- **TftpServer**: Provides an interface for managing files on a TFTP server (e.g., iPXE boot files).
## Networking (Hardware & Host)
- **Router**: Provides an interface for configuring routing rules, typically on a firewall like OPNsense.
- **Switch**: Provides an interface for configuring a physical network switch (e.g., managing VLANs and port channels).
- **NetworkManager**: Provides an interface for configuring host-level networking (e.g., creating bonds and bridges on a node).

102
docs/catalogs/scores.md Normal file
View File

@@ -0,0 +1,102 @@
# Scores Catalog
A `Score` is a declarative description of a desired state. Find the Score you need and add it to your `harmony!` block's `scores` array.
<!--toc:start-->
- [Scores Catalog](#scores-catalog)
- [Application Deployment](#application-deployment)
- [OKD / Kubernetes Cluster Setup](#okd-kubernetes-cluster-setup)
- [Cluster Services & Management](#cluster-services-management)
- [Monitoring & Alerting](#monitoring-alerting)
- [Infrastructure & Networking (Bare Metal)](#infrastructure-networking-bare-metal)
- [Infrastructure & Networking (Cluster)](#infrastructure-networking-cluster)
- [Tenant Management](#tenant-management)
- [Utility](#utility)
<!--toc:end-->
## Application Deployment
Scores for deploying and managing end-user applications.
- **ApplicationScore**: The primary score for deploying a web application. Describes the application, its framework, and the features it requires (e.g., monitoring, CI/CD).
- **HelmChartScore**: Deploys a generic Helm chart to a Kubernetes cluster.
- **ArgoHelmScore**: Deploys an application using an ArgoCD Helm chart.
- **LAMPScore**: A specialized score for deploying a classic LAMP (Linux, Apache, MySQL, PHP) stack.
## OKD / Kubernetes Cluster Setup
This collection of Scores is used to provision an entire OKD cluster from bare metal. They are typically used in order.
- **OKDSetup01InventoryScore**: Discovers and catalogs the physical hardware.
- **OKDSetup02BootstrapScore**: Configures the bootstrap node, renders iPXE files, and kicks off the SCOS installation.
- **OKDSetup03ControlPlaneScore**: Renders iPXE configurations for the control plane nodes.
- **OKDSetupPersistNetworkBondScore**: Configures network bonds on the nodes and port channels on the switches.
- **OKDSetup04WorkersScore**: Renders iPXE configurations for the worker nodes.
- **OKDSetup06InstallationReportScore**: Runs post-installation checks and generates a report.
- **OKDUpgradeScore**: Manages the upgrade process for an existing OKD cluster.
## Cluster Services & Management
Scores for installing and managing services _inside_ a Kubernetes cluster.
- **K3DInstallationScore**: Installs and configes a local K3D (k3s-in-docker) cluster. Used by `K8sAnywhereTopology`.
- **CertManagerHelmScore**: Deploys the `cert-manager` Helm chart.
- **ClusterIssuerScore**: Configures a `ClusterIssuer` for `cert-manager`, (e.g., for Let's Encrypt).
- **K8sNamespaceScore**: Ensures a Kubernetes namespace exists.
- **K8sDeploymentScore**: Deploys a generic `Deployment` resource to Kubernetes.
- **K8sIngressScore**: Configures an `Ingress` resource for a service.
## Monitoring & Alerting
Scores for configuring observability, dashboards, and alerts.
- **ApplicationMonitoringScore**: A generic score to set up monitoring for an application.
- **ApplicationRHOBMonitoringScore**: A specialized score for setting up monitoring via the Red Hat Observability stack.
- **HelmPrometheusAlertingScore**: Configures Prometheus alerts via a Helm chart.
- **K8sPrometheusCRDAlertingScore**: Configures Prometheus alerts using the `PrometheusRule` CRD.
- **PrometheusAlertScore**: A generic score for creating a Prometheus alert.
- **RHOBAlertingScore**: Configures alerts specifically for the Red Hat Observability stack.
- **NtfyScore**: Configures alerts to be sent to a `ntfy.sh` server.
## Infrastructure & Networking (Bare Metal)
Low-level scores for managing physical hardware and network services.
- **DhcpScore**: Configures a DHCP server.
- **OKDDhcpScore**: A specialized DHCP configuration for the OKD bootstrap process.
- **OKDBootstrapDhcpScore**: Configures DHCP specifically for the bootstrap node.
- **DhcpHostBindingScore**: Creates a specific MAC-to-IP binding in the DHCP server.
- **DnsScore**: Configures a DNS server.
- **OKDDnsScore**: A specialized DNS configuration for the OKD cluster (e.g., `api.*`, `*.apps.*`).
- **StaticFilesHttpScore**: Serves a directory of static files (e.g., a documentation site) over HTTP.
- **TftpScore**: Configures a TFTP server, typically for serving iPXE boot files.
- **IPxeMacBootFileScore**: Assigns a specific iPXE boot file to a MAC address in the TFTP server.
- **OKDIpxeScore**: A specialized score for generating the iPXE boot scripts for OKD.
- **OPNsenseShellCommandScore**: Executes a shell command on an OPNsense firewall.
## Infrastructure & Networking (Cluster)
Network services that run inside the cluster or as part of the topology.
- **LoadBalancerScore**: Configures a general-purpose load balancer.
- **OKDLoadBalancerScore**: Configures the high-availability load balancers for the OKD API and ingress.
- **OKDBootstrapLoadBalancerScore**: Configures the load balancer specifically for the bootstrap-time API endpoint.
- **K8sIngressScore**: Configures an Ingress controller or resource.
- [HighAvailabilityHostNetworkScore](../../harmony/src/modules/okd/host_network.rs): Configures network bonds on a host and the corresponding port-channels on the switch stack for high-availability.
## Tenant Management
Scores for managing multi-tenancy within a cluster.
- **TenantScore**: Creates a new tenant (e.g., a namespace, quotas, network policies).
- **TenantCredentialScore**: Generates and provisions credentials for a new tenant.
## Utility
Helper scores for discovery and inspection.
- **LaunchDiscoverInventoryAgentScore**: Launches the agent responsible for the `OKDSetup01InventoryScore`.
- **DiscoverHostForRoleScore**: A utility score to find a host matching a specific role in the inventory.
- **InspectInventoryScore**: Dumps the discovered inventory for inspection.

59
docs/catalogs/topologies.md Normal file
View File

@@ -0,0 +1,59 @@
# Topologies Catalog
A `Topology` is the logical representation of your infrastructure and its `Capabilities`. You select a `Topology` in your Harmony project to define _where_ your `Scores` will be applied.
<!--toc:start-->
- [Topologies Catalog](#topologies-catalog)
- [HAClusterTopology](#haclustertopology)
- [K8sAnywhereTopology](#k8sanywheretopology)
<!--toc:end-->
### HAClusterTopology
- **`HAClusterTopology::autoload()`**
This `Topology` represents a high-availability, bare-metal cluster. It is designed for production-grade deployments like OKD.
It models an environment consisting of:
- At least 3 cluster nodes (for control plane/workers)
- 2 redundant firewalls (e.g., OPNsense)
- 2 redundant network switches
**Provided Capabilities:**
This topology provides a rich set of capabilities required for bare-metal provisioning and cluster management, including:
- `K8sClient` (once the cluster is bootstrapped)
- `DnsServer`
- `LoadBalancer`
- `DhcpServer`
- `TftpServer`
- `Router` (via the firewalls)
- `Switch`
- `NetworkManager` (for host-level network config)
---
### K8sAnywhereTopology
- **`K8sAnywhereTopology::from_env()`**
This `Topology` is designed for development and application deployment. It provides a simple, abstract way to deploy to _any_ Kubernetes cluster.
**How it works:**
1. By default (`from_env()` with no env vars), it automatically provisions a **local K3D (k3s-in-docker) cluster** on your machine. This is perfect for local development and testing.
2. If you provide a `KUBECONFIG` environment variable, it will instead connect to that **existing Kubernetes cluster** (e.g., your staging or production OKD cluster).
This allows you to use the _exact same code_ to deploy your application locally as you do to deploy it to production.
**Provided Capabilities:**
- `K8sClient`
- `HelmCommand`
- `TenantManager`
- `Ingress`
- `Monitoring`
- ...and more.

40
docs/concepts.md Normal file
View File

@@ -0,0 +1,40 @@
# Core Concepts
Harmony's design is based on a few key concepts. Understanding them is the key to unlocking the framework's power.
### 1. Score
- **What it is:** A **Score** is a declarative description of a desired state. It's a "resource" that defines _what_ you want to achieve, not _how_ to do it.
- **Example:** `ApplicationScore` declares "I want this web application to be running and monitored."
### 2. Topology
- **What it is:** A **Topology** is the logical representation of your infrastructure and its abilities. It's the "where" your Scores will be applied.
- **Key Job:** A Topology's most important job is to expose which `Capabilities` it supports.
- **Example:** `HAClusterTopology` represents a bare-metal cluster and exposes `Capabilities` like `NetworkManager` and `Switch`. `K8sAnywhereTopology` represents a Kubernetes cluster and exposes the `K8sClient` `Capability`.
### 3. Capability
- **What it is:** A **Capability** is a specific feature or API that a `Topology` offers. It's the "how" a `Topology` can fulfill a `Score`'s request.
- **Example:** The `K8sClient` capability offers a way to interact with a Kubernetes API. The `Switch` capability offers a way to configure a physical network switch.
### 4. Interpret
- **What it is:** An **Interpret** is the execution logic that makes a `Score` a reality. It's the "glue" that connects the _desired state_ (`Score`) to the _environment's abilities_ (`Topology`'s `Capabilities`).
- **How it works:** When you apply a `Score`, Harmony finds the matching `Interpret` for your `Topology`. This `Interpret` then uses the `Capabilities` provided by the `Topology` to execute the necessary steps.
### 5. Inventory
- **What it is:** An **Inventory** is the physical material (the "what") used in a cluster. This is most relevant for bare-metal or on-premise topologies.
- **Example:** A list of nodes with their roles (control plane, worker), CPU, RAM, and network interfaces. For the `K8sAnywhereTopology`, the inventory might be empty or autoloaded, as the infrastructure is more abstract.
---
### How They Work Together (The Compile-Time Check)
1. You **write a `Score`** (e.g., `ApplicationScore`).
2. Your `Score`'s `Interpret` logic requires certain **`Capabilities`** (e.g., `K8sClient` and `Ingress`).
3. You choose a **`Topology`** to run it on (e.g., `HAClusterTopology`).
4. **At compile-time**, Harmony checks: "Does `HAClusterTopology` provide the `K8sClient` and `Ingress` capabilities that `ApplicationScore` needs?"
- **If Yes:** Your code compiles. You can be confident it will run.
- **If No:** The compiler gives you an error. You've just prevented a "config-is-valid-but-platform-is-wrong" runtime error before you even deployed.

42
docs/guides/getting-started.md Normal file
View File

@@ -0,0 +1,42 @@
# Getting Started Guide
Welcome to Harmony! This guide will walk you through installing the Harmony framework, setting up a new project, and deploying your first application.
We will build and deploy the "Rust Web App" example, which automatically:
1. Provisions a local K3D (Kubernetes in Docker) cluster.
2. Deploys a sample Rust web application.
3. Sets up monitoring for the application.
## Prerequisites
Before you begin, you'll need a few tools installed on your system:
- **Rust & Cargo:** [Install Rust](https://www.rust-lang.org/tools/install)
- **Docker:** [Install Docker](https://docs.docker.com/get-docker/) (Required for the K3D local cluster)
- **kubectl:** [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (For inspecting the cluster)
## 1. Install Harmony
First, clone the Harmony repository and build the project. This gives you the `harmony` CLI and all the core libraries.
```bash
# Clone the main repository
git clone https://git.nationtech.io/nationtech/harmony
cd harmony
# Build the project (this may take a few minutes)
cargo build --release
```
...
## Next Steps
Congratulations, you've just deployed an application using true infrastructure-as-code!
From here, you can:
- [Explore the Catalogs](../catalogs/README.md): See what other [Scores](../catalogs/scores.md) and [Topologies](../catalogs/topologies.md) are available.
- [Read the Use Cases](../use-cases/README.md): Check out the [OKD on Bare Metal](./use-cases/okd-on-bare-metal.md) guide for a more advanced scenario.
- [Write your own Score](../guides/writing-a-score.md): Dive into the [Developer Guide](./guides/developer-guide.md) to start building your own components.

147
examples/brocade_switch/src/main.rs
View File

@@ -1,22 +1,28 @@
use std::str::FromStr;
use async_trait::async_trait;
use brocade::{BrocadeOptions, PortOperatingMode};
use harmony::{
data::Version,
infra::brocade::BrocadeSwitchClient,
interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
infra::brocade::BrocadeSwitchConfig,
inventory::Inventory,
score::Score,
topology::{
HostNetworkConfig, PortConfig, PreparationError, PreparationOutcome, Switch, SwitchClient,
SwitchError, Topology,
},
modules::brocade::{BrocadeSwitchAuth, BrocadeSwitchScore, SwitchTopology},
};
use harmony_macros::ip;
use harmony_types::{id::Id, net::MacAddress, switch::PortLocation};
use log::{debug, info};
use serde::Serialize;
use harmony_types::{id::Id, switch::PortLocation};
fn get_switch_config() -> BrocadeSwitchConfig {
let mut options = BrocadeOptions::default();
options.ssh.port = 2222;
let auth = BrocadeSwitchAuth {
username: "admin".to_string(),
password: "password".to_string(),
};
BrocadeSwitchConfig {
ips: vec![ip!("127.0.0.1")],
auth,
options,
}
}
#[tokio::main]
async fn main() {
@@ -32,126 +38,13 @@ async fn main() {
(PortLocation(1, 0, 18), PortOperatingMode::Trunk),
],
};
harmony_cli::run(
Inventory::autoload(),
SwitchTopology::new().await,
SwitchTopology::new(get_switch_config()).await,
vec![Box::new(switch_score)],
None,
)
.await
.unwrap();
}
#[derive(Clone, Debug, Serialize)]
struct BrocadeSwitchScore {
port_channels_to_clear: Vec<Id>,
ports_to_configure: Vec<PortConfig>,
}
impl<T: Topology + Switch> Score<T> for BrocadeSwitchScore {
fn name(&self) -> String {
"BrocadeSwitchScore".to_string()
}
#[doc(hidden)]
fn create_interpret(&self) -> Box<dyn Interpret<T>> {
Box::new(BrocadeSwitchInterpret {
score: self.clone(),
})
}
}
#[derive(Debug)]
struct BrocadeSwitchInterpret {
score: BrocadeSwitchScore,
}
#[async_trait]
impl<T: Topology + Switch> Interpret<T> for BrocadeSwitchInterpret {
async fn execute(
&self,
_inventory: &Inventory,
topology: &T,
) -> Result<Outcome, InterpretError> {
info!("Applying switch configuration {:?}", self.score);
debug!(
"Clearing port channel {:?}",
self.score.port_channels_to_clear
);
topology
.clear_port_channel(&self.score.port_channels_to_clear)
.await
.map_err(|e| InterpretError::new(e.to_string()))?;
debug!("Configuring interfaces {:?}", self.score.ports_to_configure);
topology
.configure_interface(&self.score.ports_to_configure)
.await
.map_err(|e| InterpretError::new(e.to_string()))?;
Ok(Outcome::success("switch configured".to_string()))
}
fn get_name(&self) -> InterpretName {
InterpretName::Custom("BrocadeSwitchInterpret")
}
fn get_version(&self) -> Version {
todo!()
}
fn get_status(&self) -> InterpretStatus {
todo!()
}
fn get_children(&self) -> Vec<Id> {
todo!()
}
}
struct SwitchTopology {
client: Box<dyn SwitchClient>,
}
#[async_trait]
impl Topology for SwitchTopology {
fn name(&self) -> &str {
"SwitchTopology"
}
async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
Ok(PreparationOutcome::Noop)
}
}
impl SwitchTopology {
async fn new() -> Self {
let mut options = BrocadeOptions::default();
options.ssh.port = 2222;
let client =
BrocadeSwitchClient::init(&vec![ip!("127.0.0.1")], &"admin", &"password", options)
.await
.expect("Failed to connect to switch");
let client = Box::new(client);
Self { client }
}
}
#[async_trait]
impl Switch for SwitchTopology {
async fn setup_switch(&self) -> Result<(), SwitchError> {
todo!()
}
async fn get_port_for_mac_address(
&self,
_mac_address: &MacAddress,
) -> Result<Option<PortLocation>, SwitchError> {
todo!()
}
async fn configure_port_channel(&self, _config: &HostNetworkConfig) -> Result<(), SwitchError> {
todo!()
}
async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {
self.client.clear_port_channel(ids).await
}
async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError> {
self.client.configure_interface(ports).await
}
}

32
examples/cert_manager/src/main.rs
View File

@@ -1,24 +1,40 @@
use harmony::{
inventory::Inventory,
modules::{
cert_manager::{
capability::CertificateManagementConfig, score_k8s::CertificateManagementScore,
},
postgresql::{PostgreSQLScore, capability::PostgreSQLConfig},
modules::cert_manager::{
capability::CertificateManagementConfig, score_cert_management::CertificateManagementScore,
score_certificate::CertificateScore, score_issuer::CertificateIssuerScore,
},
topology::K8sAnywhereTopology,
};
#[tokio::main]
async fn main() {
let cert_manager = CertificateManagementScore {
config: CertificateManagementConfig {},
let config = CertificateManagementConfig {
namespace: Some("test".to_string()),
acme_issuer: None,
ca_issuer: None,
self_signed: true,
};
let issuer_name = "test-self-signed-issuer".to_string();
let issuer = CertificateIssuerScore {
issuer_name: issuer_name.clone(),
config: config.clone(),
};
let cert = CertificateScore {
config: config.clone(),
issuer_name,
cert_name: "test-self-signed-cert".to_string(),
common_name: None,
dns_names: Some(vec!["test.dns.name".to_string()]),
is_ca: Some(false),
};
harmony_cli::run(
Inventory::autoload(),
K8sAnywhereTopology::from_env(),
vec![Box::new(cert_manager)],
vec![Box::new(issuer), Box::new(cert)],
None,
)
.await

15
examples/ha_cluster/README.md
View File

@@ -1,15 +0,0 @@
## OPNSense demo
Download the virtualbox snapshot from {{TODO URL}}
Start the virtualbox image
This virtualbox image is configured to use a bridge on the host's physical interface, make sure the bridge is up and the virtual machine can reach internet.
Credentials are opnsense default (root/opnsense)
Run the project with the correct ip address on the command line :
```bash
cargo run -p example-opnsense -- 192.168.5.229
```

143
examples/ha_cluster/src/main.rs
View File

@@ -1,143 +0,0 @@
use std::{
net::{IpAddr, Ipv4Addr},
sync::{Arc, OnceLock},
};
use brocade::BrocadeOptions;
use cidr::Ipv4Cidr;
use harmony::{
hardware::{HostCategory, Location, PhysicalHost, SwitchGroup},
infra::{brocade::BrocadeSwitchClient, opnsense::OPNSenseManagementInterface},
inventory::Inventory,
modules::{
dummy::{ErrorScore, PanicScore, SuccessScore},
http::StaticFilesHttpScore,
okd::{dhcp::OKDDhcpScore, dns::OKDDnsScore, load_balancer::OKDLoadBalancerScore},
opnsense::OPNsenseShellCommandScore,
tftp::TftpScore,
},
topology::{LogicalHost, UnmanagedRouter},
};
use harmony_macros::{ip, mac_address};
use harmony_secret::{Secret, SecretManager};
use harmony_types::net::Url;
use serde::{Deserialize, Serialize};
#[tokio::main]
async fn main() {
let firewall = harmony::topology::LogicalHost {
ip: ip!("192.168.5.229"),
name: String::from("opnsense-1"),
};
let switch_auth = SecretManager::get_or_prompt::<BrocadeSwitchAuth>()
.await
.expect("Failed to get credentials");
let switches: Vec<IpAddr> = vec![ip!("192.168.5.101")]; // TODO: Adjust me
let brocade_options = BrocadeOptions {
dry_run: *harmony::config::DRY_RUN,
..Default::default()
};
let switch_client = BrocadeSwitchClient::init(
&switches,
&switch_auth.username,
&switch_auth.password,
brocade_options,
)
.await
.expect("Failed to connect to switch");
let switch_client = Arc::new(switch_client);
let opnsense = Arc::new(
harmony::infra::opnsense::OPNSenseFirewall::new(firewall, None, "root", "opnsense").await,
);
let lan_subnet = Ipv4Addr::new(10, 100, 8, 0);
let gateway_ipv4 = Ipv4Addr::new(10, 100, 8, 1);
let gateway_ip = IpAddr::V4(gateway_ipv4);
let topology = harmony::topology::HAClusterTopology {
kubeconfig: None,
domain_name: "demo.harmony.mcd".to_string(),
router: Arc::new(UnmanagedRouter::new(
gateway_ip,
Ipv4Cidr::new(lan_subnet, 24).unwrap(),
)),
load_balancer: opnsense.clone(),
firewall: opnsense.clone(),
tftp_server: opnsense.clone(),
http_server: opnsense.clone(),
dhcp_server: opnsense.clone(),
dns_server: opnsense.clone(),
control_plane: vec![LogicalHost {
ip: ip!("10.100.8.20"),
name: "cp0".to_string(),
}],
bootstrap_host: LogicalHost {
ip: ip!("10.100.8.20"),
name: "cp0".to_string(),
},
workers: vec![],
switch_client: switch_client.clone(),
node_exporter: opnsense.clone(),
network_manager: OnceLock::new(),
};
let inventory = Inventory {
location: Location::new(
"232 des Éperviers, Wendake, Qc, G0A 4V0".to_string(),
"wk".to_string(),
),
switch: SwitchGroup::from([]),
firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
storage_host: vec![],
worker_host: vec![],
control_plane_host: vec![
PhysicalHost::empty(HostCategory::Server)
.mac_address(mac_address!("08:00:27:62:EC:C3")),
],
};
// TODO regroup smaller scores in a larger one such as this
// let okd_boostrap_preparation();
let dhcp_score = OKDDhcpScore::new(&topology, &inventory);
let dns_score = OKDDnsScore::new(&topology);
let load_balancer_score = OKDLoadBalancerScore::new(&topology);
let tftp_score = TftpScore::new(Url::LocalFolder("./data/watchguard/tftpboot".to_string()));
let http_score = StaticFilesHttpScore {
folder_to_serve: Some(Url::LocalFolder(
"./data/watchguard/pxe-http-files".to_string(),
)),
files: vec![],
remote_path: None,
};
harmony_tui::run(
inventory,
topology,
vec![
Box::new(dns_score),
Box::new(dhcp_score),
Box::new(load_balancer_score),
Box::new(tftp_score),
Box::new(http_score),
Box::new(OPNsenseShellCommandScore {
opnsense: opnsense.get_opnsense_config(),
command: "touch /tmp/helloharmonytouching".to_string(),
}),
Box::new(SuccessScore {}),
Box::new(ErrorScore {}),
Box::new(PanicScore {}),
],
)
.await
.unwrap();
}
#[derive(Secret, Serialize, Deserialize, Debug)]
pub struct BrocadeSwitchAuth {
pub username: String,
pub password: String,
}

7
examples/harmony_inventory_builder/src/main.rs
View File

@@ -11,7 +11,7 @@ async fn main() {
role: HostRole::Worker,
number_desired_hosts: 3,
discovery_strategy: HarmonyDiscoveryStrategy::SUBNET {
cidr: cidrv4!("192.168.0.1/25"),
cidr: cidrv4!("192.168.2.0/24"),
port: 25000,
},
};
@@ -20,7 +20,7 @@ async fn main() {
role: HostRole::ControlPlane,
number_desired_hosts: 3,
discovery_strategy: HarmonyDiscoveryStrategy::SUBNET {
cidr: cidrv4!("192.168.0.1/25"),
cidr: cidrv4!("192.168.2.0/24"),
port: 25000,
},
};
@@ -28,7 +28,8 @@ async fn main() {
harmony_cli::run(
Inventory::autoload(),
LocalhostTopology::new(),
vec![Box::new(discover_worker), Box::new(discover_control_plane)],
vec![Box::new(discover_worker)],
//vec![Box::new(discover_worker), Box::new(discover_control_plane)],
None,
)
.await

20
examples/k8s_drain_node/Cargo.toml Normal file
View File

@@ -0,0 +1,20 @@
[package]
name = "example-k8s-drain-node"
edition = "2024"
version.workspace = true
readme.workspace = true
license.workspace = true
publish = false
[dependencies]
harmony = { path = "../../harmony" }
harmony_cli = { path = "../../harmony_cli" }
harmony_types = { path = "../../harmony_types" }
cidr.workspace = true
tokio.workspace = true
harmony_macros = { path = "../../harmony_macros" }
log.workspace = true
env_logger.workspace = true
url.workspace = true
assert_cmd = "2.0.16"
inquire.workspace = true

61
examples/k8s_drain_node/src/main.rs Normal file
View File

@@ -0,0 +1,61 @@
use std::time::Duration;
use harmony::topology::k8s::{DrainOptions, K8sClient};
use log::{info, trace};
#[tokio::main]
async fn main() {
env_logger::init();
let k8s = K8sClient::try_default().await.unwrap();
let nodes = k8s.get_nodes(None).await.unwrap();
trace!("Got nodes : {nodes:#?}");
let node_names = nodes
.iter()
.map(|n| n.metadata.name.as_ref().unwrap())
.collect::<Vec<&String>>();
info!("Got nodes : {:?}", node_names);
let node_name = inquire::Select::new("What node do you want to operate on?", node_names)
.prompt()
.unwrap();
let drain = inquire::Confirm::new("Do you wish to drain the node now ?")
.prompt()
.unwrap();
if drain {
let mut options = DrainOptions::default_ignore_daemonset_delete_emptydir_data();
options.timeout = Duration::from_secs(1);
k8s.drain_node(&node_name, &options).await.unwrap();
info!("Node {node_name} successfully drained");
}
let uncordon =
inquire::Confirm::new("Do you wish to uncordon node to resume scheduling workloads now?")
.prompt()
.unwrap();
if uncordon {
info!("Uncordoning node {node_name}");
k8s.uncordon_node(node_name).await.unwrap();
info!("Node {node_name} uncordoned");
}
let reboot = inquire::Confirm::new("Do you wish to reboot node now?")
.prompt()
.unwrap();
if reboot {
k8s.reboot_node(
&node_name,
&DrainOptions::default_ignore_daemonset_delete_emptydir_data(),
Duration::from_secs(3600),
)
.await
.unwrap();
}
info!("All done playing with nodes, happy harmonizing!");
}

20
examples/k8s_write_file_on_node/Cargo.toml Normal file
View File

@@ -0,0 +1,20 @@
[package]
name = "example-k8s-write-file-on-node"
edition = "2024"
version.workspace = true
readme.workspace = true
license.workspace = true
publish = false
[dependencies]
harmony = { path = "../../harmony" }
harmony_cli = { path = "../../harmony_cli" }
harmony_types = { path = "../../harmony_types" }
cidr.workspace = true
tokio.workspace = true
harmony_macros = { path = "../../harmony_macros" }
log.workspace = true
env_logger.workspace = true
url.workspace = true
assert_cmd = "2.0.16"
inquire.workspace = true

45
examples/k8s_write_file_on_node/src/main.rs Normal file
View File

@@ -0,0 +1,45 @@
use harmony::topology::k8s::{DrainOptions, K8sClient, NodeFile};
use log::{info, trace};
#[tokio::main]
async fn main() {
env_logger::init();
let k8s = K8sClient::try_default().await.unwrap();
let nodes = k8s.get_nodes(None).await.unwrap();
trace!("Got nodes : {nodes:#?}");
let node_names = nodes
.iter()
.map(|n| n.metadata.name.as_ref().unwrap())
.collect::<Vec<&String>>();
info!("Got nodes : {:?}", node_names);
let node = inquire::Select::new("What node do you want to write file to?", node_names)
.prompt()
.unwrap();
let path = inquire::Text::new("File path on node").prompt().unwrap();
let content = inquire::Text::new("File content").prompt().unwrap();
let node_file = NodeFile {
path: path,
content: content,
mode: 0o600,
};
k8s.write_files_to_node(&node, &vec![node_file.clone()])
.await
.unwrap();
let cmd = inquire::Text::new("Command to run on node")
.prompt()
.unwrap();
k8s.run_privileged_command_on_node(&node, &cmd)
.await
.unwrap();
info!(
"File {} mode {} written in node {node}",
node_file.path, node_file.mode
);
}

4
examples/nanodc/rook-cephcluster/install-rook-cephcluster.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
helm install --create-namespace --namespace rook-ceph rook-ceph-cluster \
--set operatorNamespace=rook-ceph rook-release/rook-ceph-cluster -f values.yaml

721
examples/nanodc/rook-cephcluster/values.yaml
View File

@@ -1,721 +0,0 @@
# Default values for a single rook-ceph cluster
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Namespace of the main rook operator
operatorNamespace: rook-ceph
# -- The metadata.name of the CephCluster CR
# @default -- The same as the namespace
clusterName:
# -- Optional override of the target kubernetes version
kubeVersion:
# -- Cluster ceph.conf override
configOverride:
# configOverride: |
# [global]
# mon_allow_pool_delete = true
# osd_pool_default_size = 3
# osd_pool_default_min_size = 2
# Installs a debugging toolbox deployment
toolbox:
# -- Enable Ceph debugging pod deployment. See [toolbox](../Troubleshooting/ceph-toolbox.md)
enabled: true
# -- Toolbox image, defaults to the image used by the Ceph cluster
image: #quay.io/ceph/ceph:v19.2.2
# -- Toolbox tolerations
tolerations: []
# -- Toolbox affinity
affinity: {}
# -- Toolbox container security context
containerSecurityContext:
runAsNonRoot: true
runAsUser: 2016
runAsGroup: 2016
capabilities:
drop: ["ALL"]
# -- Toolbox resources
resources:
limits:
memory: "1Gi"
requests:
cpu: "100m"
memory: "128Mi"
# -- Set the priority class for the toolbox if desired
priorityClassName:
monitoring:
# -- Enable Prometheus integration, will also create necessary RBAC rules to allow Operator to create ServiceMonitors.
# Monitoring requires Prometheus to be pre-installed
enabled: false
# -- Whether to disable the metrics reported by Ceph. If false, the prometheus mgr module and Ceph exporter are enabled
metricsDisabled: false
# -- Whether to create the Prometheus rules for Ceph alerts
createPrometheusRules: false
# -- The namespace in which to create the prometheus rules, if different from the rook cluster namespace.
# If you have multiple rook-ceph clusters in the same k8s cluster, choose the same namespace (ideally, namespace with prometheus
# deployed) to set rulesNamespaceOverride for all the clusters. Otherwise, you will get duplicate alerts with multiple alert definitions.
rulesNamespaceOverride:
# Monitoring settings for external clusters:
# externalMgrEndpoints: <list of endpoints>
# externalMgrPrometheusPort: <port>
# Scrape interval for prometheus
# interval: 10s
# allow adding custom labels and annotations to the prometheus rule
prometheusRule:
# -- Labels applied to PrometheusRule
labels: {}
# -- Annotations applied to PrometheusRule
annotations: {}
# -- Create & use PSP resources. Set this to the same value as the rook-ceph chart.
pspEnable: false
# imagePullSecrets option allow to pull docker images from private docker registry. Option will be passed to all service accounts.
# imagePullSecrets:
# - name: my-registry-secret
# All values below are taken from the CephCluster CRD
# -- Cluster configuration.
# @default -- See [below](#ceph-cluster-spec)
cephClusterSpec:
# This cluster spec example is for a converged cluster where all the Ceph daemons are running locally,
# as in the host-based example (cluster.yaml). For a different configuration such as a
# PVC-based cluster (cluster-on-pvc.yaml), external cluster (cluster-external.yaml),
# or stretch cluster (cluster-stretched.yaml), replace this entire `cephClusterSpec`
# with the specs from those examples.
# For more details, check https://rook.io/docs/rook/v1.10/CRDs/Cluster/ceph-cluster-crd/
cephVersion:
# The container image used to launch the Ceph daemon pods (mon, mgr, osd, mds, rgw).
# v18 is Reef, v19 is Squid
# RECOMMENDATION: In production, use a specific version tag instead of the general v18 flag, which pulls the latest release and could result in different
# versions running within the cluster. See tags available at https://hub.docker.com/r/ceph/ceph/tags/.
# If you want to be more precise, you can always use a timestamp tag such as quay.io/ceph/ceph:v19.2.2-20250409
# This tag might not contain a new Ceph version, just security fixes from the underlying operating system, which will reduce vulnerabilities
image: quay.io/ceph/ceph:v19.2.2
# Whether to allow unsupported versions of Ceph. Currently Reef and Squid are supported.
# Future versions such as Tentacle (v20) would require this to be set to `true`.
# Do not set to true in production.
allowUnsupported: false
# The path on the host where configuration files will be persisted. Must be specified. If there are multiple clusters, the directory must be unique for each cluster.
# Important: if you reinstall the cluster, make sure you delete this directory from each host or else the mons will fail to start on the new cluster.
# In Minikube, the '/data' directory is configured to persist across reboots. Use "/data/rook" in Minikube environment.
dataDirHostPath: /var/lib/rook
# Whether or not upgrade should continue even if a check fails
# This means Ceph's status could be degraded and we don't recommend upgrading but you might decide otherwise
# Use at your OWN risk
# To understand Rook's upgrade process of Ceph, read https://rook.io/docs/rook/v1.10/Upgrade/ceph-upgrade/
skipUpgradeChecks: false
# Whether or not continue if PGs are not clean during an upgrade
continueUpgradeAfterChecksEvenIfNotHealthy: false
# WaitTimeoutForHealthyOSDInMinutes defines the time (in minutes) the operator would wait before an OSD can be stopped for upgrade or restart.
# If the timeout exceeds and OSD is not ok to stop, then the operator would skip upgrade for the current OSD and proceed with the next one
# if `continueUpgradeAfterChecksEvenIfNotHealthy` is `false`. If `continueUpgradeAfterChecksEvenIfNotHealthy` is `true`, then operator would
# continue with the upgrade of an OSD even if its not ok to stop after the timeout. This timeout won't be applied if `skipUpgradeChecks` is `true`.
# The default wait timeout is 10 minutes.
waitTimeoutForHealthyOSDInMinutes: 10
# Whether or not requires PGs are clean before an OSD upgrade. If set to `true` OSD upgrade process won't start until PGs are healthy.
# This configuration will be ignored if `skipUpgradeChecks` is `true`.
# Default is false.
upgradeOSDRequiresHealthyPGs: false
mon:
# Set the number of mons to be started. Generally recommended to be 3.
# For highest availability, an odd number of mons should be specified.
count: 3
# The mons should be on unique nodes. For production, at least 3 nodes are recommended for this reason.
# Mons should only be allowed on the same node for test environments where data loss is acceptable.
allowMultiplePerNode: false
mgr:
# When higher availability of the mgr is needed, increase the count to 2.
# In that case, one mgr will be active and one in standby. When Ceph updates which
# mgr is active, Rook will update the mgr services to match the active mgr.
count: 2
allowMultiplePerNode: false
modules:
# List of modules to optionally enable or disable.
# Note the "dashboard" and "monitoring" modules are already configured by other settings in the cluster CR.
# - name: rook
# enabled: true
# enable the ceph dashboard for viewing cluster status
dashboard:
enabled: true
# serve the dashboard under a subpath (useful when you are accessing the dashboard via a reverse proxy)
# urlPrefix: /ceph-dashboard
# serve the dashboard at the given port.
# port: 8443
# Serve the dashboard using SSL (if using ingress to expose the dashboard and `ssl: true` you need to set
# the corresponding "backend protocol" annotation(s) for your ingress controller of choice)
ssl: true
# Network configuration, see: https://github.com/rook/rook/blob/master/Documentation/CRDs/Cluster/ceph-cluster-crd.md#network-configuration-settings
network:
connections:
# Whether to encrypt the data in transit across the wire to prevent eavesdropping the data on the network.
# The default is false. When encryption is enabled, all communication between clients and Ceph daemons, or between Ceph daemons will be encrypted.
# When encryption is not enabled, clients still establish a strong initial authentication and data integrity is still validated with a crc check.
# IMPORTANT: Encryption requires the 5.11 kernel for the latest nbd and cephfs drivers. Alternatively for testing only,
# you can set the "mounter: rbd-nbd" in the rbd storage class, or "mounter: fuse" in the cephfs storage class.
# The nbd and fuse drivers are *not* recommended in production since restarting the csi driver pod will disconnect the volumes.
encryption:
enabled: false
# Whether to compress the data in transit across the wire. The default is false.
# The kernel requirements above for encryption also apply to compression.
compression:
enabled: false
# Whether to require communication over msgr2. If true, the msgr v1 port (6789) will be disabled
# and clients will be required to connect to the Ceph cluster with the v2 port (3300).
# Requires a kernel that supports msgr v2 (kernel 5.11 or CentOS 8.4 or newer).
requireMsgr2: false
# # enable host networking
# provider: host
# # EXPERIMENTAL: enable the Multus network provider
# provider: multus
# selectors:
# # The selector keys are required to be `public` and `cluster`.
# # Based on the configuration, the operator will do the following:
# # 1. if only the `public` selector key is specified both public_network and cluster_network Ceph settings will listen on that interface
# # 2. if both `public` and `cluster` selector keys are specified the first one will point to 'public_network' flag and the second one to 'cluster_network'
# #
# # In order to work, each selector value must match a NetworkAttachmentDefinition object in Multus
# #
# # public: public-conf --> NetworkAttachmentDefinition object name in Multus
# # cluster: cluster-conf --> NetworkAttachmentDefinition object name in Multus
# # Provide internet protocol version. IPv6, IPv4 or empty string are valid options. Empty string would mean IPv4
# ipFamily: "IPv6"
# # Ceph daemons to listen on both IPv4 and Ipv6 networks
# dualStack: false
# enable the crash collector for ceph daemon crash collection
crashCollector:
disable: false
# Uncomment daysToRetain to prune ceph crash entries older than the
# specified number of days.
# daysToRetain: 30
# enable log collector, daemons will log on files and rotate
logCollector:
enabled: true
periodicity: daily # one of: hourly, daily, weekly, monthly
maxLogSize: 500M # SUFFIX may be 'M' or 'G'. Must be at least 1M.
# automate [data cleanup process](https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/ceph-teardown.md#delete-the-data-on-hosts) in cluster destruction.
cleanupPolicy:
# Since cluster cleanup is destructive to data, confirmation is required.
# To destroy all Rook data on hosts during uninstall, confirmation must be set to "yes-really-destroy-data".
# This value should only be set when the cluster is about to be deleted. After the confirmation is set,
# Rook will immediately stop configuring the cluster and only wait for the delete command.
# If the empty string is set, Rook will not destroy any data on hosts during uninstall.
confirmation: ""
# sanitizeDisks represents settings for sanitizing OSD disks on cluster deletion
sanitizeDisks:
# method indicates if the entire disk should be sanitized or simply ceph's metadata
# in both case, re-install is possible
# possible choices are 'complete' or 'quick' (default)
method: quick
# dataSource indicate where to get random bytes from to write on the disk
# possible choices are 'zero' (default) or 'random'
# using random sources will consume entropy from the system and will take much more time then the zero source
dataSource: zero
# iteration overwrite N times instead of the default (1)
# takes an integer value
iteration: 1
# allowUninstallWithVolumes defines how the uninstall should be performed
# If set to true, cephCluster deletion does not wait for the PVs to be deleted.
allowUninstallWithVolumes: false
# To control where various services will be scheduled by kubernetes, use the placement configuration sections below.
# The example under 'all' would have all services scheduled on kubernetes nodes labeled with 'role=storage-node' and
# tolerate taints with a key of 'storage-node'.
# placement:
# all:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: role
# operator: In
# values:
# - storage-node
# podAffinity:
# podAntiAffinity:
# topologySpreadConstraints:
# tolerations:
# - key: storage-node
# operator: Exists
# # The above placement information can also be specified for mon, osd, and mgr components
# mon:
# # Monitor deployments may contain an anti-affinity rule for avoiding monitor
# # collocation on the same node. This is a required rule when host network is used
# # or when AllowMultiplePerNode is false. Otherwise this anti-affinity rule is a
# # preferred rule with weight: 50.
# osd:
# mgr:
# cleanup:
# annotations:
# all:
# mon:
# osd:
# cleanup:
# prepareosd:
# # If no mgr annotations are set, prometheus scrape annotations will be set by default.
# mgr:
# dashboard:
# labels:
# all:
# mon:
# osd:
# cleanup:
# mgr:
# prepareosd:
# # monitoring is a list of key-value pairs. It is injected into all the monitoring resources created by operator.
# # These labels can be passed as LabelSelector to Prometheus
# monitoring:
# dashboard:
resources:
mgr:
limits:
memory: "1Gi"
requests:
cpu: "500m"
memory: "512Mi"
mon:
limits:
memory: "2Gi"
requests:
cpu: "1000m"
memory: "1Gi"
osd:
limits:
memory: "4Gi"
requests:
cpu: "1000m"
memory: "4Gi"
prepareosd:
# limits: It is not recommended to set limits on the OSD prepare job
# since it's a one-time burst for memory that must be allowed to
# complete without an OOM kill. Note however that if a k8s
# limitRange guardrail is defined external to Rook, the lack of
# a limit here may result in a sync failure, in which case a
# limit should be added. 1200Mi may suffice for up to 15Ti
# OSDs ; for larger devices 2Gi may be required.
# cf. https://github.com/rook/rook/pull/11103
requests:
cpu: "500m"
memory: "50Mi"
mgr-sidecar:
limits:
memory: "100Mi"
requests:
cpu: "100m"
memory: "40Mi"
crashcollector:
limits:
memory: "60Mi"
requests:
cpu: "100m"
memory: "60Mi"
logcollector:
limits:
memory: "1Gi"
requests:
cpu: "100m"
memory: "100Mi"
cleanup:
limits:
memory: "1Gi"
requests:
cpu: "500m"
memory: "100Mi"
exporter:
limits:
memory: "128Mi"
requests:
cpu: "50m"
memory: "50Mi"
# The option to automatically remove OSDs that are out and are safe to destroy.
removeOSDsIfOutAndSafeToRemove: false
# priority classes to apply to ceph resources
priorityClassNames:
mon: system-node-critical
osd: system-node-critical
mgr: system-cluster-critical
storage: # cluster level storage configuration and selection
useAllNodes: true
useAllDevices: true
# deviceFilter:
# config:
# crushRoot: "custom-root" # specify a non-default root label for the CRUSH map
# metadataDevice: "md0" # specify a non-rotational storage so ceph-volume will use it as block db device of bluestore.
# databaseSizeMB: "1024" # uncomment if the disks are smaller than 100 GB
# osdsPerDevice: "1" # this value can be overridden at the node or device level
# encryptedDevice: "true" # the default value for this option is "false"
# # Individual nodes and their config can be specified as well, but 'useAllNodes' above must be set to false. Then, only the named
# # nodes below will be used as storage resources. Each node's 'name' field should match their 'kubernetes.io/hostname' label.
# nodes:
# - name: "172.17.4.201"
# devices: # specific devices to use for storage can be specified for each node
# - name: "sdb"
# - name: "nvme01" # multiple osds can be created on high performance devices
# config:
# osdsPerDevice: "5"
# - name: "/dev/disk/by-id/ata-ST4000DM004-XXXX" # devices can be specified using full udev paths
# config: # configuration can be specified at the node level which overrides the cluster level config
# - name: "172.17.4.301"
# deviceFilter: "^sd."
# The section for configuring management of daemon disruptions during upgrade or fencing.
disruptionManagement:
# If true, the operator will create and manage PodDisruptionBudgets for OSD, Mon, RGW, and MDS daemons. OSD PDBs are managed dynamically
# via the strategy outlined in the [design](https://github.com/rook/rook/blob/master/design/ceph/ceph-managed-disruptionbudgets.md). The operator will
# block eviction of OSDs by default and unblock them safely when drains are detected.
managePodBudgets: true
# A duration in minutes that determines how long an entire failureDomain like `region/zone/host` will be held in `noout` (in addition to the
# default DOWN/OUT interval) when it is draining. This is only relevant when `managePodBudgets` is `true`. The default value is `30` minutes.
osdMaintenanceTimeout: 30
# Configure the healthcheck and liveness probes for ceph pods.
# Valid values for daemons are 'mon', 'osd', 'status'
healthCheck:
daemonHealth:
mon:
disabled: false
interval: 45s
osd:
disabled: false
interval: 60s
status:
disabled: false
interval: 60s
# Change pod liveness probe, it works for all mon, mgr, and osd pods.
livenessProbe:
mon:
disabled: false
mgr:
disabled: false
osd:
disabled: false
ingress:
# -- Enable an ingress for the ceph-dashboard
dashboard:
# {}
# labels:
# external-dns/private: "true"
annotations:
"route.openshift.io/termination": "passthrough"
# external-dns.alpha.kubernetes.io/hostname: dashboard.example.com
# nginx.ingress.kubernetes.io/rewrite-target: /ceph-dashboard/$2
# If the dashboard has ssl: true the following will make sure the NGINX Ingress controller can expose the dashboard correctly
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/server-snippet: |
# proxy_ssl_verify off;
host:
name: ceph.apps.ncd0.harmony.mcd
path: null # TODO the chart does not allow removing the path, and it causes openshift to fail creating a route, because path is not supported with termination mode passthrough
pathType: ImplementationSpecific
tls:
- {}
# secretName: testsecret-tls
# Note: Only one of ingress class annotation or the `ingressClassName:` can be used at a time
# to set the ingress class
# ingressClassName: openshift-default
# labels:
# external-dns/private: "true"
# annotations:
# external-dns.alpha.kubernetes.io/hostname: dashboard.example.com
# nginx.ingress.kubernetes.io/rewrite-target: /ceph-dashboard/$2
# If the dashboard has ssl: true the following will make sure the NGINX Ingress controller can expose the dashboard correctly
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/server-snippet: |
# proxy_ssl_verify off;
# host:
# name: dashboard.example.com
# path: "/ceph-dashboard(/|$)(.*)"
# pathType: Prefix
# tls:
# - hosts:
# - dashboard.example.com
# secretName: testsecret-tls
## Note: Only one of ingress class annotation or the `ingressClassName:` can be used at a time
## to set the ingress class
# ingressClassName: nginx
# -- A list of CephBlockPool configurations to deploy
# @default -- See [below](#ceph-block-pools)
cephBlockPools:
- name: ceph-blockpool
# see https://github.com/rook/rook/blob/master/Documentation/CRDs/Block-Storage/ceph-block-pool-crd.md#spec for available configuration
spec:
failureDomain: host
replicated:
size: 3
# Enables collecting RBD per-image IO statistics by enabling dynamic OSD performance counters. Defaults to false.
# For reference: https://docs.ceph.com/docs/latest/mgr/prometheus/#rbd-io-statistics
# enableRBDStats: true
storageClass:
enabled: true
name: ceph-block
annotations: {}
labels: {}
isDefault: true
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: "Immediate"
mountOptions: []
# see https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies
allowedTopologies: []
# - matchLabelExpressions:
# - key: rook-ceph-role
# values:
# - storage-node
# see https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/Block-Storage-RBD/block-storage.md#provision-storage for available configuration
parameters:
# (optional) mapOptions is a comma-separated list of map options.
# For krbd options refer
# https://docs.ceph.com/docs/latest/man/8/rbd/#kernel-rbd-krbd-options
# For nbd options refer
# https://docs.ceph.com/docs/latest/man/8/rbd-nbd/#options
# mapOptions: lock_on_read,queue_depth=1024
# (optional) unmapOptions is a comma-separated list of unmap options.
# For krbd options refer
# https://docs.ceph.com/docs/latest/man/8/rbd/#kernel-rbd-krbd-options
# For nbd options refer
# https://docs.ceph.com/docs/latest/man/8/rbd-nbd/#options
# unmapOptions: force
# RBD image format. Defaults to "2".
imageFormat: "2"
# RBD image features, equivalent to OR'd bitfield value: 63
# Available for imageFormat: "2". Older releases of CSI RBD
# support only the `layering` feature. The Linux kernel (KRBD) supports the
# full feature complement as of 5.4
imageFeatures: layering
# These secrets contain Ceph admin credentials.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}"
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
# Specify the filesystem type of the volume. If not specified, csi-provisioner
# will set default as `ext4`. Note that `xfs` is not recommended due to potential deadlock
# in hyperconverged settings where the volume is mounted on the same node as the osds.
csi.storage.k8s.io/fstype: ext4
# -- A list of CephFileSystem configurations to deploy
# @default -- See [below](#ceph-file-systems)
cephFileSystems:
- name: ceph-filesystem
# see https://github.com/rook/rook/blob/master/Documentation/CRDs/Shared-Filesystem/ceph-filesystem-crd.md#filesystem-settings for available configuration
spec:
metadataPool:
replicated:
size: 3
dataPools:
- failureDomain: host
replicated:
size: 3
# Optional and highly recommended, 'data0' by default, see https://github.com/rook/rook/blob/master/Documentation/CRDs/Shared-Filesystem/ceph-filesystem-crd.md#pools
name: data0
metadataServer:
activeCount: 1
activeStandby: true
resources:
limits:
memory: "4Gi"
requests:
cpu: "1000m"
memory: "4Gi"
priorityClassName: system-cluster-critical
storageClass:
enabled: true
isDefault: false
name: ceph-filesystem
# (Optional) specify a data pool to use, must be the name of one of the data pools above, 'data0' by default
pool: data0
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: "Immediate"
annotations: {}
labels: {}
mountOptions: []
# see https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/Shared-Filesystem-CephFS/filesystem-storage.md#provision-storage for available configuration
parameters:
# The secrets contain Ceph admin credentials.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}"
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
# Specify the filesystem type of the volume. If not specified, csi-provisioner
# will set default as `ext4`. Note that `xfs` is not recommended due to potential deadlock
# in hyperconverged settings where the volume is mounted on the same node as the osds.
csi.storage.k8s.io/fstype: ext4
# -- Settings for the filesystem snapshot class
# @default -- See [CephFS Snapshots](../Storage-Configuration/Ceph-CSI/ceph-csi-snapshot.md#cephfs-snapshots)
cephFileSystemVolumeSnapshotClass:
enabled: false
name: ceph-filesystem
isDefault: true
deletionPolicy: Delete
annotations: {}
labels: {}
# see https://rook.io/docs/rook/v1.10/Storage-Configuration/Ceph-CSI/ceph-csi-snapshot/#cephfs-snapshots for available configuration
parameters: {}
# -- Settings for the block pool snapshot class
# @default -- See [RBD Snapshots](../Storage-Configuration/Ceph-CSI/ceph-csi-snapshot.md#rbd-snapshots)
cephBlockPoolsVolumeSnapshotClass:
enabled: false
name: ceph-block
isDefault: false
deletionPolicy: Delete
annotations: {}
labels: {}
# see https://rook.io/docs/rook/v1.10/Storage-Configuration/Ceph-CSI/ceph-csi-snapshot/#rbd-snapshots for available configuration
parameters: {}
# -- A list of CephObjectStore configurations to deploy
# @default -- See [below](#ceph-object-stores)
cephObjectStores:
- name: ceph-objectstore
# see https://github.com/rook/rook/blob/master/Documentation/CRDs/Object-Storage/ceph-object-store-crd.md#object-store-settings for available configuration
spec:
metadataPool:
failureDomain: host
replicated:
size: 3
dataPool:
failureDomain: host
erasureCoded:
dataChunks: 2
codingChunks: 1
parameters:
bulk: "true"
preservePoolsOnDelete: true
gateway:
port: 80
resources:
limits:
memory: "2Gi"
requests:
cpu: "1000m"
memory: "1Gi"
# securePort: 443
# sslCertificateRef:
instances: 1
priorityClassName: system-cluster-critical
# opsLogSidecar:
# resources:
# limits:
# memory: "100Mi"
# requests:
# cpu: "100m"
# memory: "40Mi"
storageClass:
enabled: true
name: ceph-bucket
reclaimPolicy: Delete
volumeBindingMode: "Immediate"
annotations: {}
labels: {}
# see https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/Object-Storage-RGW/ceph-object-bucket-claim.md#storageclass for available configuration
parameters:
# note: objectStoreNamespace and objectStoreName are configured by the chart
region: us-east-1
ingress:
# Enable an ingress for the ceph-objectstore
enabled: true
# The ingress port by default will be the object store's "securePort" (if set), or the gateway "port".
# To override those defaults, set this ingress port to the desired port.
# port: 80
# annotations: {}
host:
name: objectstore.apps.ncd0.harmony.mcd
path: /
pathType: Prefix
# tls:
# - hosts:
# - objectstore.example.com
# secretName: ceph-objectstore-tls
# ingressClassName: nginx
## cephECBlockPools are disabled by default, please remove the comments and set desired values to enable it
## For erasure coded a replicated metadata pool is required.
## https://rook.io/docs/rook/latest/CRDs/Shared-Filesystem/ceph-filesystem-crd/#erasure-coded
#cephECBlockPools:
# - name: ec-pool
# spec:
# metadataPool:
# replicated:
# size: 2
# dataPool:
# failureDomain: osd
# erasureCoded:
# dataChunks: 2
# codingChunks: 1
# deviceClass: hdd
#
# parameters:
# # clusterID is the namespace where the rook cluster is running
# # If you change this namespace, also change the namespace below where the secret namespaces are defined
# clusterID: rook-ceph # namespace:cluster
# # (optional) mapOptions is a comma-separated list of map options.
# # For krbd options refer
# # https://docs.ceph.com/docs/latest/man/8/rbd/#kernel-rbd-krbd-options
# # For nbd options refer
# # https://docs.ceph.com/docs/latest/man/8/rbd-nbd/#options
# # mapOptions: lock_on_read,queue_depth=1024
#
# # (optional) unmapOptions is a comma-separated list of unmap options.
# # For krbd options refer
# # https://docs.ceph.com/docs/latest/man/8/rbd/#kernel-rbd-krbd-options
# # For nbd options refer
# # https://docs.ceph.com/docs/latest/man/8/rbd-nbd/#options
# # unmapOptions: force
#
# # RBD image format. Defaults to "2".
# imageFormat: "2"
#
# # RBD image features, equivalent to OR'd bitfield value: 63
# # Available for imageFormat: "2". Older releases of CSI RBD
# # support only the `layering` feature. The Linux kernel (KRBD) supports the
# # full feature complement as of 5.4
# # imageFeatures: layering,fast-diff,object-map,deep-flatten,exclusive-lock
# imageFeatures: layering
#
# storageClass:
# provisioner: rook-ceph.rbd.csi.ceph.com # csi-provisioner-name
# enabled: true
# name: rook-ceph-block
# isDefault: false
# annotations: { }
# labels: { }
# allowVolumeExpansion: true
# reclaimPolicy: Delete
# -- CSI driver name prefix for cephfs, rbd and nfs.
# @default -- `namespace name where rook-ceph operator is deployed`
csiDriverNamePrefix:

3
examples/nanodc/rook-operator/install-rook-operator.sh
View File

@@ -1,3 +0,0 @@
#!/bin/bash
helm repo add rook-release https://charts.rook.io/release
helm install --create-namespace --namespace rook-ceph rook-ceph rook-release/rook-ceph -f values.yaml

674
examples/nanodc/rook-operator/values.yaml
View File

@@ -1,674 +0,0 @@
# Default values for rook-ceph-operator
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
image:
# -- Image
repository: docker.io/rook/ceph
# -- Image tag
# @default -- `master`
tag: v1.17.1
# -- Image pull policy
pullPolicy: IfNotPresent
crds:
# -- Whether the helm chart should create and update the CRDs. If false, the CRDs must be
# managed independently with deploy/examples/crds.yaml.
# **WARNING** Only set during first deployment. If later disabled the cluster may be DESTROYED.
# If the CRDs are deleted in this case, see
# [the disaster recovery guide](https://rook.io/docs/rook/latest/Troubleshooting/disaster-recovery/#restoring-crds-after-deletion)
# to restore them.
enabled: true
# -- Pod resource requests & limits
resources:
limits:
memory: 512Mi
requests:
cpu: 200m
memory: 128Mi
# -- Kubernetes [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) to add to the Deployment.
nodeSelector: {}
# Constraint rook-ceph-operator Deployment to nodes with label `disktype: ssd`.
# For more info, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# disktype: ssd
# -- List of Kubernetes [`tolerations`](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to add to the Deployment.
tolerations: []
# -- Delay to use for the `node.kubernetes.io/unreachable` pod failure toleration to override
# the Kubernetes default of 5 minutes
unreachableNodeTolerationSeconds: 5
# -- Whether the operator should watch cluster CRD in its own namespace or not
currentNamespaceOnly: false
# -- Custom pod labels for the operator
operatorPodLabels: {}
# -- Pod annotations
annotations: {}
# -- Global log level for the operator.
# Options: `ERROR`, `WARNING`, `INFO`, `DEBUG`
logLevel: INFO
# -- If true, create & use RBAC resources
rbacEnable: true
rbacAggregate:
# -- If true, create a ClusterRole aggregated to [user facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) for objectbucketclaims
enableOBCs: false
# -- If true, create & use PSP resources
pspEnable: false
# -- Set the priority class for the rook operator deployment if desired
priorityClassName:
# -- Set the container security context for the operator
containerSecurityContext:
runAsNonRoot: true
runAsUser: 2016
runAsGroup: 2016
capabilities:
drop: ["ALL"]
# -- If true, loop devices are allowed to be used for osds in test clusters
allowLoopDevices: false
# Settings for whether to disable the drivers or other daemons if they are not
# needed
csi:
# -- Enable Ceph CSI RBD driver
enableRbdDriver: true
# -- Enable Ceph CSI CephFS driver
enableCephfsDriver: true
# -- Disable the CSI driver.
disableCsiDriver: "false"
# -- Enable host networking for CSI CephFS and RBD nodeplugins. This may be necessary
# in some network configurations where the SDN does not provide access to an external cluster or
# there is significant drop in read/write performance
enableCSIHostNetwork: true
# -- Enable Snapshotter in CephFS provisioner pod
enableCephfsSnapshotter: true
# -- Enable Snapshotter in NFS provisioner pod
enableNFSSnapshotter: true
# -- Enable Snapshotter in RBD provisioner pod
enableRBDSnapshotter: true
# -- Enable Host mount for `/etc/selinux` directory for Ceph CSI nodeplugins
enablePluginSelinuxHostMount: false
# -- Enable Ceph CSI PVC encryption support
enableCSIEncryption: false
# -- Enable volume group snapshot feature. This feature is
# enabled by default as long as the necessary CRDs are available in the cluster.
enableVolumeGroupSnapshot: true
# -- PriorityClassName to be set on csi driver plugin pods
pluginPriorityClassName: system-node-critical
# -- PriorityClassName to be set on csi driver provisioner pods
provisionerPriorityClassName: system-cluster-critical
# -- Policy for modifying a volume's ownership or permissions when the RBD PVC is being mounted.
# supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
rbdFSGroupPolicy: "File"
# -- Policy for modifying a volume's ownership or permissions when the CephFS PVC is being mounted.
# supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
cephFSFSGroupPolicy: "File"
# -- Policy for modifying a volume's ownership or permissions when the NFS PVC is being mounted.
# supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
nfsFSGroupPolicy: "File"
# -- OMAP generator generates the omap mapping between the PV name and the RBD image
# which helps CSI to identify the rbd images for CSI operations.
# `CSI_ENABLE_OMAP_GENERATOR` needs to be enabled when we are using rbd mirroring feature.
# By default OMAP generator is disabled and when enabled, it will be deployed as a
# sidecar with CSI provisioner pod, to enable set it to true.
enableOMAPGenerator: false
# -- Set CephFS Kernel mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options.
# Set to "ms_mode=secure" when connections.encrypted is enabled in CephCluster CR
cephFSKernelMountOptions:
# -- Enable adding volume metadata on the CephFS subvolumes and RBD images.
# Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images.
# Hence enable metadata is false by default
enableMetadata: false
# -- Set replicas for csi provisioner deployment
provisionerReplicas: 2
# -- Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful
# in cases like for example, when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster
clusterName:
# -- Set logging level for cephCSI containers maintained by the cephCSI.
# Supported values from 0 to 5. 0 for general useful logs, 5 for trace level verbosity.
logLevel: 0
# -- Set logging level for Kubernetes-csi sidecar containers.
# Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity.
# @default -- `0`
sidecarLogLevel:
# -- CSI driver name prefix for cephfs, rbd and nfs.
# @default -- `namespace name where rook-ceph operator is deployed`
csiDriverNamePrefix:
# -- CSI RBD plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
# @default -- `RollingUpdate`
rbdPluginUpdateStrategy:
# -- A maxUnavailable parameter of CSI RBD plugin daemonset update strategy.
# @default -- `1`
rbdPluginUpdateStrategyMaxUnavailable:
# -- CSI CephFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
# @default -- `RollingUpdate`
cephFSPluginUpdateStrategy:
# -- A maxUnavailable parameter of CSI cephFS plugin daemonset update strategy.
# @default -- `1`
cephFSPluginUpdateStrategyMaxUnavailable:
# -- CSI NFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
# @default -- `RollingUpdate`
nfsPluginUpdateStrategy:
# -- Set GRPC timeout for csi containers (in seconds). It should be >= 120. If this value is not set or is invalid, it defaults to 150
grpcTimeoutInSeconds: 150
# -- Burst to use while communicating with the kubernetes apiserver.
kubeApiBurst:
# -- QPS to use while communicating with the kubernetes apiserver.
kubeApiQPS:
# -- The volume of the CephCSI RBD plugin DaemonSet
csiRBDPluginVolume:
# - name: lib-modules
# hostPath:
# path: /run/booted-system/kernel-modules/lib/modules/
# - name: host-nix
# hostPath:
# path: /nix
# -- The volume mounts of the CephCSI RBD plugin DaemonSet
csiRBDPluginVolumeMount:
# - name: host-nix
# mountPath: /nix
# readOnly: true
# -- The volume of the CephCSI CephFS plugin DaemonSet
csiCephFSPluginVolume:
# - name: lib-modules
# hostPath:
# path: /run/booted-system/kernel-modules/lib/modules/
# - name: host-nix
# hostPath:
# path: /nix
# -- The volume mounts of the CephCSI CephFS plugin DaemonSet
csiCephFSPluginVolumeMount:
# - name: host-nix
# mountPath: /nix
# readOnly: true
# -- CEPH CSI RBD provisioner resource requirement list
# csi-omap-generator resources will be applied only if `enableOMAPGenerator` is set to `true`
# @default -- see values.yaml
csiRBDProvisionerResource: |
- name : csi-provisioner
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-resizer
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-attacher
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-snapshotter
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-rbdplugin
resource:
requests:
memory: 512Mi
limits:
memory: 1Gi
- name : csi-omap-generator
resource:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1Gi
- name : liveness-prometheus
resource:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 256Mi
# -- CEPH CSI RBD plugin resource requirement list
# @default -- see values.yaml
csiRBDPluginResource: |
- name : driver-registrar
resource:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 256Mi
- name : csi-rbdplugin
resource:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1Gi
- name : liveness-prometheus
resource:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 256Mi
# -- CEPH CSI CephFS provisioner resource requirement list
# @default -- see values.yaml
csiCephFSProvisionerResource: |
- name : csi-provisioner
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-resizer
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-attacher
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-snapshotter
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-cephfsplugin
resource:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1Gi
- name : liveness-prometheus
resource:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 256Mi
# -- CEPH CSI CephFS plugin resource requirement list
# @default -- see values.yaml
csiCephFSPluginResource: |
- name : driver-registrar
resource:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 256Mi
- name : csi-cephfsplugin
resource:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1Gi
- name : liveness-prometheus
resource:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 256Mi
# -- CEPH CSI NFS provisioner resource requirement list
# @default -- see values.yaml
csiNFSProvisionerResource: |
- name : csi-provisioner
resource:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
- name : csi-nfsplugin
resource:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1Gi
- name : csi-attacher
resource:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1Gi
# -- CEPH CSI NFS plugin resource requirement list
# @default -- see values.yaml
csiNFSPluginResource: |
- name : driver-registrar
resource:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 256Mi
- name : csi-nfsplugin
resource:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1Gi
# Set provisionerTolerations and provisionerNodeAffinity for provisioner pod.
# The CSI provisioner would be best to start on the same nodes as other ceph daemons.
# -- Array of tolerations in YAML format which will be added to CSI provisioner deployment
provisionerTolerations:
# - key: key
# operator: Exists
# effect: NoSchedule
# -- The node labels for affinity of the CSI provisioner deployment [^1]
provisionerNodeAffinity: #key1=value1,value2; key2=value3
# Set pluginTolerations and pluginNodeAffinity for plugin daemonset pods.
# The CSI plugins need to be started on all the nodes where the clients need to mount the storage.
# -- Array of tolerations in YAML format which will be added to CephCSI plugin DaemonSet
pluginTolerations:
# - key: key
# operator: Exists
# effect: NoSchedule
# -- The node labels for affinity of the CephCSI RBD plugin DaemonSet [^1]
pluginNodeAffinity: # key1=value1,value2; key2=value3
# -- Enable Ceph CSI Liveness sidecar deployment
enableLiveness: false
# -- CSI CephFS driver metrics port
# @default -- `9081`
cephfsLivenessMetricsPort:
# -- CSI Addons server port
# @default -- `9070`
csiAddonsPort:
# -- CSI Addons server port for the RBD provisioner
# @default -- `9070`
csiAddonsRBDProvisionerPort:
# -- CSI Addons server port for the Ceph FS provisioner
# @default -- `9070`
csiAddonsCephFSProvisionerPort:
# -- Enable Ceph Kernel clients on kernel < 4.17. If your kernel does not support quotas for CephFS
# you may want to disable this setting. However, this will cause an issue during upgrades
# with the FUSE client. See the [upgrade guide](https://rook.io/docs/rook/v1.2/ceph-upgrade.html)
forceCephFSKernelClient: true
# -- Ceph CSI RBD driver metrics port
# @default -- `8080`
rbdLivenessMetricsPort:
serviceMonitor:
# -- Enable ServiceMonitor for Ceph CSI drivers
enabled: false
# -- Service monitor scrape interval
interval: 10s
# -- ServiceMonitor additional labels
labels: {}
# -- Use a different namespace for the ServiceMonitor
namespace:
# -- Kubelet root directory path (if the Kubelet uses a different path for the `--root-dir` flag)
# @default -- `/var/lib/kubelet`
kubeletDirPath:
# -- Duration in seconds that non-leader candidates will wait to force acquire leadership.
# @default -- `137s`
csiLeaderElectionLeaseDuration:
# -- Deadline in seconds that the acting leader will retry refreshing leadership before giving up.
# @default -- `107s`
csiLeaderElectionRenewDeadline:
# -- Retry period in seconds the LeaderElector clients should wait between tries of actions.
# @default -- `26s`
csiLeaderElectionRetryPeriod:
cephcsi:
# -- Ceph CSI image repository
repository: quay.io/cephcsi/cephcsi
# -- Ceph CSI image tag
tag: v3.14.0
registrar:
# -- Kubernetes CSI registrar image repository
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
# -- Registrar image tag
tag: v2.13.0
provisioner:
# -- Kubernetes CSI provisioner image repository
repository: registry.k8s.io/sig-storage/csi-provisioner
# -- Provisioner image tag
tag: v5.1.0
snapshotter:
# -- Kubernetes CSI snapshotter image repository
repository: registry.k8s.io/sig-storage/csi-snapshotter
# -- Snapshotter image tag
tag: v8.2.0
attacher:
# -- Kubernetes CSI Attacher image repository
repository: registry.k8s.io/sig-storage/csi-attacher
# -- Attacher image tag
tag: v4.8.0
resizer:
# -- Kubernetes CSI resizer image repository
repository: registry.k8s.io/sig-storage/csi-resizer
# -- Resizer image tag
tag: v1.13.1
# -- Image pull policy
imagePullPolicy: IfNotPresent
# -- Labels to add to the CSI CephFS Deployments and DaemonSets Pods
cephfsPodLabels: #"key1=value1,key2=value2"
# -- Labels to add to the CSI NFS Deployments and DaemonSets Pods
nfsPodLabels: #"key1=value1,key2=value2"
# -- Labels to add to the CSI RBD Deployments and DaemonSets Pods
rbdPodLabels: #"key1=value1,key2=value2"
csiAddons:
# -- Enable CSIAddons
enabled: false
# -- CSIAddons sidecar image repository
repository: quay.io/csiaddons/k8s-sidecar
# -- CSIAddons sidecar image tag
tag: v0.12.0
nfs:
# -- Enable the nfs csi driver
enabled: false
topology:
# -- Enable topology based provisioning
enabled: false
# NOTE: the value here serves as an example and needs to be
# updated with node labels that define domains of interest
# -- domainLabels define which node labels to use as domains
# for CSI nodeplugins to advertise their domains
domainLabels:
# - kubernetes.io/hostname
# - topology.kubernetes.io/zone
# - topology.rook.io/rack
# -- Whether to skip any attach operation altogether for CephFS PVCs. See more details
# [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
# If cephFSAttachRequired is set to false it skips the volume attachments and makes the creation
# of pods using the CephFS PVC fast. **WARNING** It's highly discouraged to use this for
# CephFS RWO volumes. Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
cephFSAttachRequired: true
# -- Whether to skip any attach operation altogether for RBD PVCs. See more details
# [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
# If set to false it skips the volume attachments and makes the creation of pods using the RBD PVC fast.
# **WARNING** It's highly discouraged to use this for RWO volumes as it can cause data corruption.
# csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set
# to false since we'll have no VolumeAttachments to determine which node the PVC is mounted on.
# Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
rbdAttachRequired: true
# -- Whether to skip any attach operation altogether for NFS PVCs. See more details
# [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
# If cephFSAttachRequired is set to false it skips the volume attachments and makes the creation
# of pods using the NFS PVC fast. **WARNING** It's highly discouraged to use this for
# NFS RWO volumes. Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
nfsAttachRequired: true
# -- Enable discovery daemon
enableDiscoveryDaemon: false
# -- Set the discovery daemon device discovery interval (default to 60m)
discoveryDaemonInterval: 60m
# -- The timeout for ceph commands in seconds
cephCommandsTimeoutSeconds: "15"
# -- If true, run rook operator on the host network
useOperatorHostNetwork:
# -- If true, scale down the rook operator.
# This is useful for administrative actions where the rook operator must be scaled down, while using gitops style tooling
# to deploy your helm charts.
scaleDownOperator: false
## Rook Discover configuration
## toleration: NoSchedule, PreferNoSchedule or NoExecute
## tolerationKey: Set this to the specific key of the taint to tolerate
## tolerations: Array of tolerations in YAML format which will be added to agent deployment
## nodeAffinity: Set to labels of the node to match
discover:
# -- Toleration for the discover pods.
# Options: `NoSchedule`, `PreferNoSchedule` or `NoExecute`
toleration:
# -- The specific key of the taint to tolerate
tolerationKey:
# -- Array of tolerations in YAML format which will be added to discover deployment
tolerations:
# - key: key
# operator: Exists
# effect: NoSchedule
# -- The node labels for affinity of `discover-agent` [^1]
nodeAffinity:
# key1=value1,value2; key2=value3
#
# or
#
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: storage-node
# operator: Exists
# -- Labels to add to the discover pods
podLabels: # "key1=value1,key2=value2"
# -- Add resources to discover daemon pods
resources:
# - limits:
# memory: 512Mi
# - requests:
# cpu: 100m
# memory: 128Mi
# -- Custom label to identify node hostname. If not set `kubernetes.io/hostname` will be used
customHostnameLabel:
# -- Runs Ceph Pods as privileged to be able to write to `hostPaths` in OpenShift with SELinux restrictions.
hostpathRequiresPrivileged: false
# -- Whether to create all Rook pods to run on the host network, for example in environments where a CNI is not enabled
enforceHostNetwork: false
# -- Disable automatic orchestration when new devices are discovered.
disableDeviceHotplug: false
# -- The revision history limit for all pods created by Rook. If blank, the K8s default is 10.
revisionHistoryLimit:
# -- Blacklist certain disks according to the regex provided.
discoverDaemonUdev:
# -- imagePullSecrets option allow to pull docker images from private docker registry. Option will be passed to all service accounts.
imagePullSecrets:
# - name: my-registry-secret
# -- Whether the OBC provisioner should watch on the operator namespace or not, if not the namespace of the cluster will be used
enableOBCWatchOperatorNamespace: true
# -- Specify the prefix for the OBC provisioner in place of the cluster namespace
# @default -- `ceph cluster namespace`
obcProvisionerNamePrefix:
# -- Many OBC additional config fields may be risky for administrators to allow users control over.
# The safe and default-allowed fields are 'maxObjects' and 'maxSize'.
# Other fields should be considered risky. To allow all additional configs, use this value:
# "maxObjects,maxSize,bucketMaxObjects,bucketMaxSize,bucketPolicy,bucketLifecycle,bucketOwner"
# @default -- "maxObjects,maxSize"
obcAllowAdditionalConfigFields: "maxObjects,maxSize"
monitoring:
# -- Enable monitoring. Requires Prometheus to be pre-installed.
# Enabling will also create RBAC rules to allow Operator to create ServiceMonitors
enabled: false

199
examples/nanodc/src/main.rs
View File

@@ -1,199 +0,0 @@
use std::{
net::{IpAddr, Ipv4Addr},
sync::{Arc, OnceLock},
};
use brocade::BrocadeOptions;
use cidr::Ipv4Cidr;
use harmony::{
config::secret::SshKeyPair,
data::{FileContent, FilePath},
hardware::{HostCategory, Location, PhysicalHost, SwitchGroup},
infra::{brocade::BrocadeSwitchClient, opnsense::OPNSenseManagementInterface},
inventory::Inventory,
modules::{
http::StaticFilesHttpScore,
okd::{
bootstrap_dhcp::OKDBootstrapDhcpScore,
bootstrap_load_balancer::OKDBootstrapLoadBalancerScore, dhcp::OKDDhcpScore,
dns::OKDDnsScore, ipxe::OKDIpxeScore,
},
tftp::TftpScore,
},
topology::{LogicalHost, UnmanagedRouter},
};
use harmony_macros::{ip, mac_address};
use harmony_secret::{Secret, SecretManager};
use harmony_types::net::Url;
use serde::{Deserialize, Serialize};
#[tokio::main]
async fn main() {
let firewall = harmony::topology::LogicalHost {
ip: ip!("192.168.33.1"),
name: String::from("fw0"),
};
let switch_auth = SecretManager::get_or_prompt::<BrocadeSwitchAuth>()
.await
.expect("Failed to get credentials");
let switches: Vec<IpAddr> = vec![ip!("192.168.33.101")];
let brocade_options = BrocadeOptions {
dry_run: *harmony::config::DRY_RUN,
..Default::default()
};
let switch_client = BrocadeSwitchClient::init(
&switches,
&switch_auth.username,
&switch_auth.password,
brocade_options,
)
.await
.expect("Failed to connect to switch");
let switch_client = Arc::new(switch_client);
let opnsense = Arc::new(
harmony::infra::opnsense::OPNSenseFirewall::new(firewall, None, "root", "opnsense").await,
);
let lan_subnet = Ipv4Addr::new(192, 168, 33, 0);
let gateway_ipv4 = Ipv4Addr::new(192, 168, 33, 1);
let gateway_ip = IpAddr::V4(gateway_ipv4);
let topology = harmony::topology::HAClusterTopology {
kubeconfig: None,
domain_name: "ncd0.harmony.mcd".to_string(), // TODO this must be set manually correctly
// when setting up the opnsense firewall
router: Arc::new(UnmanagedRouter::new(
gateway_ip,
Ipv4Cidr::new(lan_subnet, 24).unwrap(),
)),
load_balancer: opnsense.clone(),
firewall: opnsense.clone(),
tftp_server: opnsense.clone(),
http_server: opnsense.clone(),
dhcp_server: opnsense.clone(),
dns_server: opnsense.clone(),
control_plane: vec![
LogicalHost {
ip: ip!("192.168.33.20"),
name: "cp0".to_string(),
},
LogicalHost {
ip: ip!("192.168.33.21"),
name: "cp1".to_string(),
},
LogicalHost {
ip: ip!("192.168.33.22"),
name: "cp2".to_string(),
},
],
bootstrap_host: LogicalHost {
ip: ip!("192.168.33.66"),
name: "bootstrap".to_string(),
},
workers: vec![
LogicalHost {
ip: ip!("192.168.33.30"),
name: "wk0".to_string(),
},
LogicalHost {
ip: ip!("192.168.33.31"),
name: "wk1".to_string(),
},
LogicalHost {
ip: ip!("192.168.33.32"),
name: "wk2".to_string(),
},
],
node_exporter: opnsense.clone(),
switch_client: switch_client.clone(),
network_manager: OnceLock::new(),
};
let inventory = Inventory {
location: Location::new("I am mobile".to_string(), "earth".to_string()),
switch: SwitchGroup::from([]),
firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
storage_host: vec![],
worker_host: vec![
PhysicalHost::empty(HostCategory::Server)
.mac_address(mac_address!("C4:62:37:02:61:0F")),
PhysicalHost::empty(HostCategory::Server)
.mac_address(mac_address!("C4:62:37:02:61:26")),
// thisone
// Then create the ipxe file
// set the dns static leases
// bootstrap nodes
// start ceph cluster
// try installation of lampscore
// bingo?
PhysicalHost::empty(HostCategory::Server)
.mac_address(mac_address!("C4:62:37:02:61:70")),
],
control_plane_host: vec![
PhysicalHost::empty(HostCategory::Server)
.mac_address(mac_address!("C4:62:37:02:60:FA")),
PhysicalHost::empty(HostCategory::Server)
.mac_address(mac_address!("C4:62:37:02:61:1A")),
PhysicalHost::empty(HostCategory::Server)
.mac_address(mac_address!("C4:62:37:01:BC:68")),
],
};
// TODO regroup smaller scores in a larger one such as this
// let okd_boostrap_preparation();
let bootstrap_dhcp_score = OKDBootstrapDhcpScore::new(&topology, &inventory);
let bootstrap_load_balancer_score = OKDBootstrapLoadBalancerScore::new(&topology);
let dhcp_score = OKDDhcpScore::new(&topology, &inventory);
let dns_score = OKDDnsScore::new(&topology);
let load_balancer_score =
harmony::modules::okd::load_balancer::OKDLoadBalancerScore::new(&topology);
let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
let tftp_score = TftpScore::new(Url::LocalFolder("./data/watchguard/tftpboot".to_string()));
let http_score = StaticFilesHttpScore {
folder_to_serve: Some(Url::LocalFolder(
"./data/watchguard/pxe-http-files".to_string(),
)),
files: vec![],
remote_path: None,
};
let kickstart_filename = "inventory.kickstart".to_string();
let harmony_inventory_agent = "harmony_inventory_agent".to_string();
let ipxe_score = OKDIpxeScore {
kickstart_filename,
harmony_inventory_agent,
cluster_pubkey: FileContent {
path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
content: ssh_key.public,
},
};
harmony_tui::run(
inventory,
topology,
vec![
Box::new(dns_score),
Box::new(bootstrap_dhcp_score),
Box::new(bootstrap_load_balancer_score),
Box::new(load_balancer_score),
Box::new(tftp_score),
Box::new(http_score),
Box::new(ipxe_score),
Box::new(dhcp_score),
],
)
.await
.unwrap();
}
#[derive(Secret, Serialize, Deserialize, Debug)]
pub struct BrocadeSwitchAuth {
pub username: String,
pub password: String,
}

8
examples/ha_cluster/Cargo.toml → examples/nats-module/Cargo.toml
View File

@@ -1,5 +1,5 @@
[package]
name = "example-ha-cluster"
name = "example-nats-module-supercluster"
edition = "2024"
version.workspace = true
readme.workspace = true
@@ -8,7 +8,7 @@ publish = false
[dependencies]
harmony = { path = "../../harmony" }
harmony_tui = { path = "../../harmony_tui" }
harmony_cli = { path = "../../harmony_cli" }
harmony_types = { path = "../../harmony_types" }
cidr = { workspace = true }
tokio = { workspace = true }
@@ -16,6 +16,4 @@ harmony_macros = { path = "../../harmony_macros" }
log = { workspace = true }
env_logger = { workspace = true }
url = { workspace = true }
harmony_secret = { path = "../../harmony_secret" }
brocade = { path = "../../brocade" }
serde = { workspace = true }
k8s-openapi.workspace = true

9
examples/nats-module/env_example.sh Normal file
View File

@@ -0,0 +1,9 @@
# Cluster 1
export HARMONY_DECENTRALIZED_TOPOLOGY_K8S_SITE_1="kubeconfig=$HOME/.kube/config,context=cluster-context"
export HARMONY_NATS_SITE_1_DOMAIN="your.domain.1"
# Cluster 2
export HARMONY_DECENTRALIZED_TOPOLOGY_K8S_SITE_2="kubeconfig=$HOME/.kube/config,context=cluster-context"
export HARMONY_NATS_SITE_2_DOMAIN="your.domain.2"
# Cluster 3
export HARMONY_DECENTRALIZED_TOPOLOGY_K8S_SITE_3="kubeconfig=$HOME/.kube/config,context=cluster-context"
export HARMONY_NATS_SITE_3_DOMAIN="your.domain.3"

77
examples/nats-module/src/main.rs Normal file
View File

@@ -0,0 +1,77 @@
use harmony::{
inventory::Inventory,
modules::nats::{capability::NatsCluster, score_nats_supercluster::NatsSuperclusterScore},
topology::{K8sAnywhereTopology, decentralized::DecentralizedTopology},
};
#[tokio::main]
async fn main() {
let supercluster_ca_secret_name = "nats-supercluster-ca-bundle";
let tls_cert_name = "nats-gateway";
let jetstream_enabled = "false";
let nats_namespace = "nats-example".to_string();
let site_1_name = "site-1".to_string();
let site_1_domain =
std::env::var("HARMONY_NATS_SITE_1_DOMAIN").expect("missing domain in env for site_1");
let nats_site_1 = NatsCluster {
namespace: nats_namespace.clone(),
domain: site_1_domain.clone(),
replicas: 1,
name: site_1_name.clone(),
gateway_advertise: format!("{site_1_name}-gw.{site_1_domain}:443"),
dns_name: format!("{site_1_name}-gw.{site_1_domain}"),
supercluster_ca_secret_name: supercluster_ca_secret_name,
tls_cert_name: tls_cert_name,
jetstream_enabled: jetstream_enabled,
};
let site_2_name = "site-2".to_string();
let site_2_domain =
std::env::var("HARMONY_NATS_SITE_2_DOMAIN").expect("missing domain in env for site_2");
let nats_site_2 = NatsCluster {
namespace: nats_namespace.clone(),
domain: site_2_domain.clone(),
replicas: 1,
name: site_2_name.clone(),
gateway_advertise: format!("{site_2_name}-gw.{site_2_domain}:443"),
dns_name: format!("{site_2_name}-gw.{site_2_domain}"),
supercluster_ca_secret_name: supercluster_ca_secret_name,
tls_cert_name: tls_cert_name,
jetstream_enabled: jetstream_enabled,
};
let site_3_name = "site-3".to_string();
let site_3_domain =
std::env::var("HARMONY_NATS_SITE_3_DOMAIN").expect("missing domain in env for site_3");
let nats_site_3 = NatsCluster {
namespace: nats_namespace.clone(),
domain: site_3_domain.clone(),
replicas: 1,
name: site_3_name.clone(),
gateway_advertise: format!("{site_3_name}-gw.{site_3_domain}:443"),
dns_name: format!("{site_3_name}-gw.{site_3_domain}"),
supercluster_ca_secret_name: supercluster_ca_secret_name,
tls_cert_name: tls_cert_name,
jetstream_enabled: jetstream_enabled,
};
let clusters = vec![nats_site_1, nats_site_2, nats_site_3];
let nats_supercluster = NatsSuperclusterScore {
nats_cluster: clusters,
ca_certs: None,
};
harmony_cli::run(
Inventory::autoload(),
DecentralizedTopology::<K8sAnywhereTopology>::from_env(),
vec![Box::new(nats_supercluster)],
None,
)
.await
.unwrap();
}

19
examples/nats-supercluster/Cargo.toml Normal file
View File

@@ -0,0 +1,19 @@
[package]
name = "example-nats-supercluster"
edition = "2024"
version.workspace = true
readme.workspace = true
license.workspace = true
publish = false
[dependencies]
harmony = { path = "../../harmony" }
harmony_cli = { path = "../../harmony_cli" }
harmony_types = { path = "../../harmony_types" }
cidr = { workspace = true }
tokio = { workspace = true }
harmony_macros = { path = "../../harmony_macros" }
log = { workspace = true }
env_logger = { workspace = true }
url = { workspace = true }
k8s-openapi.workspace = true

6
examples/nats-supercluster/env_example.sh Normal file
View File

@@ -0,0 +1,6 @@
# Cluster 1
export HARMONY_NATS_SITE_1="kubeconfig=$HOME/.config/nt/kube/config,context=your_cluster_1_kube_context_name"
export HARMONY_NATS_SITE_1_DOMAIN="your_cluster_1_public_domain"
# Cluster 2
export HARMONY_NATS_SITE_2="kubeconfig=$HOME/.config/nt/kube/config,context=your_cluster_2_kube_context_name"
export HARMONY_NATS_SITE_2_DOMAIN="your_cluster_2_public_domain"

481
examples/nats-supercluster/src/main.rs Normal file
View File

@@ -0,0 +1,481 @@
use std::{collections::BTreeMap, str::FromStr};
use harmony::{
interpret::{InterpretError, Outcome},
inventory::Inventory,
modules::{
cert_manager::{
capability::{CertificateManagement, CertificateManagementConfig},
crd::CaIssuer,
},
helm::chart::{HelmChartScore, HelmRepository, NonBlankString},
k8s::resource::K8sResourceScore,
okd::{
crd::route::{RoutePort, RouteSpec, RouteTargetReference, TLSConfig},
route::OKDRouteScore,
},
},
score::Score,
topology::{
HelmCommand, K8sAnywhereConfig, K8sAnywhereTopology, K8sclient, TlsRouter, Topology,
},
};
use harmony_macros::hurl;
use k8s_openapi::{
ByteString, api::core::v1::Secret, apimachinery::pkg::apis::meta::v1::ObjectMeta,
};
use log::{debug, info};
#[tokio::main]
async fn main() -> Result<(), InterpretError> {
let namespace = "nats-supercluster-test";
let self_signed_issuer_name = "harmony-self-signed-issuer";
let ca_issuer_name = "harmony-ca-issuer";
let root_ca_cert_name = "harmony-root-ca";
log::info!("starting nats supercluster bootstrap");
// --------------------------------------------------
// 1. Build site contexts
// --------------------------------------------------
let site1 = site(
"HARMONY_NATS_SITE_1",
"HARMONY_NATS_SITE_1_DOMAIN",
"nats-sto1-cert-test1",
);
let site2 = site(
"HARMONY_NATS_SITE_2",
"HARMONY_NATS_SITE_2_DOMAIN",
"nats-cb1-cert-test2",
);
// --------------------------------------------------
// 2. Ensure clusters are reachable
// --------------------------------------------------
log::info!("ensuring both topologies are ready");
tokio::try_join!(site1.topology.ensure_ready(), site2.topology.ensure_ready(),)?;
// --------------------------------------------------
// 3. Create certificates
// --------------------------------------------------
log::info!("creating certificates");
let root_ca_config = CertificateManagementConfig {
namespace: Some(namespace.into()),
acme_issuer: None,
ca_issuer: Some(CaIssuer {
secret_name: format!("{}-tls", root_ca_cert_name),
}),
self_signed: false,
};
let self_signed_config = CertificateManagementConfig {
namespace: Some(namespace.to_string().clone()),
acme_issuer: None,
ca_issuer: None,
self_signed: true,
};
tokio::try_join!(
create_nats_certs(
site1.topology.clone(),
&site1.cluster,
ca_issuer_name,
&root_ca_config,
self_signed_issuer_name,
&self_signed_config,
root_ca_cert_name
),
create_nats_certs(
site2.topology.clone(),
&site2.cluster,
ca_issuer_name,
&root_ca_config,
self_signed_issuer_name,
&self_signed_config,
root_ca_cert_name
),
)?;
// --------------------------------------------------
// 4. Build CA bundle
// --------------------------------------------------
log::info!("building supercluster CA bundle");
let mut ca_bundle = Vec::new();
ca_bundle.push(
site1
.topology
.get_ca_certificate(root_ca_cert_name.to_string(), &root_ca_config)
.await?,
);
ca_bundle.push(
site2
.topology
.get_ca_certificate(root_ca_cert_name.to_string(), &root_ca_config)
.await?,
);
// --------------------------------------------------
// 5. Build Scores
// --------------------------------------------------
log::info!("building scores");
let site1_scores = vec![
build_ca_bundle_secret_score(
site1.topology.clone(),
&site1.cluster,
&ca_bundle,
namespace.into(),
)
.await,
build_route_score(site1.topology.clone(), &site1.cluster, namespace.into()).await,
build_deploy_nats_score(
site1.topology.clone(),
&site1.cluster,
vec![&site2.cluster],
namespace.into(),
)
.await,
];
let site2_scores = vec![
build_ca_bundle_secret_score(
site2.topology.clone(),
&site2.cluster,
&ca_bundle,
namespace.into(),
)
.await,
build_route_score(site2.topology.clone(), &site2.cluster, namespace.into()).await,
build_deploy_nats_score(
site2.topology.clone(),
&site2.cluster,
vec![&site1.cluster],
namespace.into(),
)
.await,
];
// --------------------------------------------------
// 6. Apply Scores
// --------------------------------------------------
log::info!("applying scores");
tokio::try_join!(
apply_scores(site1.topology.clone(), site1_scores),
apply_scores(site2.topology.clone(), site2_scores),
)?;
log::info!("supercluster bootstrap complete");
log::info!(
"Enjoy! You can test your nats cluster by running : `kubectl exec -n {namespace} -it deployment/nats-box -- nats pub test hi`"
);
Ok(())
}
async fn apply_scores<T: Topology + 'static>(
topology: T,
scores: Vec<Box<dyn Score<T>>>,
) -> Result<(), InterpretError> {
info!("applying {} scores", scores.len());
harmony_cli::run(Inventory::autoload(), topology, scores, None)
.await
.map_err(|e| InterpretError::new(e.to_string()))?;
Ok(())
}
fn site(
topo_env: &str,
domain_env: &str,
cluster_name: &'static str,
) -> SiteContext<K8sAnywhereTopology> {
let domain = std::env::var(domain_env).expect("missing domain env");
let topology =
K8sAnywhereTopology::with_config(K8sAnywhereConfig::remote_k8s_from_env_var(topo_env));
SiteContext {
topology,
cluster: NatsCluster {
replicas: 1,
name: cluster_name,
gateway_advertise: format!("{cluster_name}-gw.{domain}:443"),
dns_name: format!("{cluster_name}-gw.{domain}"),
supercluster_ca_secret_name: "nats-supercluster-ca-bundle",
tls_cert_name: "nats-gateway",
jetstream_enabled: "true",
},
}
}
struct SiteContext<T> {
topology: T,
cluster: NatsCluster,
}
struct NatsCluster {
replicas: usize,
name: &'static str,
gateway_advertise: String,
dns_name: String,
supercluster_ca_secret_name: &'static str,
tls_cert_name: &'static str,
jetstream_enabled: &'static str,
}
async fn create_nats_certs<T: Topology + CertificateManagement>(
topology: T,
cluster: &NatsCluster,
ca_issuer_name: &str,
ca_cert_mgmt_config: &CertificateManagementConfig,
self_signed_issuer_name: &str,
self_signed_cert_config: &CertificateManagementConfig,
root_ca_cert_name: &str,
) -> Result<Outcome, InterpretError> {
//the order is pretty important
debug!(
"Applying certs to ns {:#?}",
ca_cert_mgmt_config.namespace.clone()
);
debug!("creating issuer '{}'", self_signed_issuer_name);
topology
.create_issuer(
self_signed_issuer_name.to_string(),
&self_signed_cert_config,
)
.await?;
debug!("creating certificate {root_ca_cert_name}");
topology
.create_certificate(
root_ca_cert_name.to_string(),
self_signed_issuer_name.to_string(),
Some(format!("harmony-{}-ca", cluster.name)),
None,
Some(true),
ca_cert_mgmt_config,
)
.await?;
debug!("creating issuer '{}'", ca_issuer_name);
topology
.create_issuer(ca_issuer_name.to_string(), ca_cert_mgmt_config)
.await?;
debug!("creating certificate {}", cluster.tls_cert_name);
topology
.create_certificate(
cluster.tls_cert_name.to_string(),
ca_issuer_name.to_string(),
None,
Some(vec![cluster.dns_name.clone()]),
Some(true),
ca_cert_mgmt_config,
)
.await?;
Ok(Outcome::success("success".to_string()))
}
async fn build_ca_bundle_secret(
namespace: &str,
nats_cluster: &NatsCluster,
bundle: &Vec<String>,
) -> Secret {
Secret {
metadata: ObjectMeta {
name: Some(nats_cluster.supercluster_ca_secret_name.to_string()),
namespace: Some(namespace.to_string()),
..Default::default()
},
data: Some(build_secret_data(bundle).await),
immutable: Some(false),
type_: Some("Opaque".to_string()),
string_data: None,
}
}
async fn build_secret_data(bundle: &Vec<String>) -> BTreeMap<String, ByteString> {
let mut data = BTreeMap::new();
data.insert(
"ca.crt".to_string(),
ByteString(bundle.join("\n").into_bytes()),
);
data
}
async fn build_ca_bundle_secret_score<T: Topology + K8sclient + 'static>(
_topology: T,
nats_cluster: &NatsCluster,
ca_bundle: &Vec<String>,
namespace: String,
) -> Box<dyn Score<T>> {
let bundle_secret = build_ca_bundle_secret(&namespace, nats_cluster, ca_bundle).await;
debug!(
"deploying secret to ns: {} \nsecret: {:#?}",
namespace, bundle_secret
);
let k8ssecret = K8sResourceScore::single(bundle_secret, Some(namespace));
Box::new(k8ssecret)
}
async fn build_route_score<T: Topology + K8sclient + 'static>(
_topology: T,
cluster: &NatsCluster,
namespace: String,
) -> Box<dyn Score<T>> {
let route = OKDRouteScore {
name: cluster.name.to_string(),
namespace,
spec: RouteSpec {
to: RouteTargetReference {
kind: "Service".to_string(),
name: cluster.name.to_string(),
weight: Some(100),
},
host: Some(cluster.dns_name.clone()),
port: Some(RoutePort { target_port: 7222 }),
tls: Some(TLSConfig {
insecure_edge_termination_policy: None,
termination: "passthrough".to_string(),
..Default::default()
}),
wildcard_policy: None,
..Default::default()
},
};
Box::new(route)
}
async fn build_deploy_nats_score<T: Topology + HelmCommand + TlsRouter + 'static>(
topology: T,
cluster: &NatsCluster,
peers: Vec<&NatsCluster>,
namespace: String,
) -> Box<dyn Score<T>> {
let mut gateway_gateways = String::new();
for peer in peers {
// Construct wss:// URLs on port 443 for the remote gateways
gateway_gateways.push_str(&format!(
r#"
- name: {}
urls:
- nats://{}"#,
peer.name, peer.gateway_advertise
));
}
let domain = topology.get_internal_domain().await.unwrap().unwrap();
// Inject gateway config into the 'merge' block to comply with chart structure
let values_yaml = Some(format!(
r#"config:
merge:
authorization:
default_permissions:
publish: ["TEST.*"]
subscribe: ["PUBLIC.>"]
users:
# - user: "admin"
# password: "admin_1"
# permissions:
# publish: ">"
# subscribe: ">"
- password: "enGk0cgZUabM6bN6FXHT"
user: "testUser"
accounts:
system:
users:
- user: "admin"
password: "admin_2"
logtime: true
debug: true
trace: true
system_account: system
cluster:
name: {cluster_name}
enabled: true
replicas: {replicas}
jetstream:
enabled: {jetstream_enabled}
fileStorage:
enabled: true
size: 10Gi
storageDirectory: /data/jetstream
leafnodes:
enabled: false
websocket:
enabled: false
ingress:
enabled: true
className: openshift-default
pathType: Prefix
hosts:
- nats-ws.{domain}
gateway:
enabled: true
port: 7222
name: {cluster_name}
merge:
advertise: {gateway_advertise}
gateways: {gateway_gateways}
tls:
enabled: true
secretName: {tls_secret_name}
# merge:
# ca_file: "/etc/nats-certs/gateway/ca.crt"
service:
ports:
gateway:
enabled: true
tlsCA:
enabled: true
secretName: {supercluster_ca_secret_name}
natsBox:
container:
image:
tag: nonroot"#,
cluster_name = cluster.name,
replicas = cluster.replicas,
domain = domain,
gateway_gateways = gateway_gateways,
gateway_advertise = cluster.gateway_advertise,
tls_secret_name = format!("{}-tls", cluster.tls_cert_name),
jetstream_enabled = cluster.jetstream_enabled,
supercluster_ca_secret_name = cluster.supercluster_ca_secret_name,
));
debug!("Prepared Helm Chart values : \n{values_yaml:#?}");
let nats = HelmChartScore {
namespace: Some(NonBlankString::from_str(&namespace).unwrap()),
release_name: NonBlankString::from_str(&cluster.name).unwrap(),
chart_name: NonBlankString::from_str("nats/nats").unwrap(),
chart_version: None,
values_overrides: None,
values_yaml,
create_namespace: true,
install_only: false,
repository: Some(HelmRepository::new(
"nats".to_string(),
hurl!("https://nats-io.github.io/k8s/helm/charts/"),
true,
)),
};
Box::new(nats)
}

87
examples/nats/src/main.rs
View File

@@ -3,15 +3,58 @@ use std::str::FromStr;
use harmony::{
inventory::Inventory,
modules::helm::chart::{HelmChartScore, HelmRepository, NonBlankString},
topology::K8sAnywhereTopology,
topology::{HelmCommand, K8sAnywhereConfig, K8sAnywhereTopology, TlsRouter, Topology},
};
use harmony_macros::hurl;
use log::info;
#[tokio::main]
async fn main() {
// env_logger::init();
let values_yaml = Some(
let site1_topo = K8sAnywhereTopology::with_config(K8sAnywhereConfig::remote_k8s_from_env_var(
"HARMONY_NATS_SITE_1",
));
let site2_topo = K8sAnywhereTopology::with_config(K8sAnywhereConfig::remote_k8s_from_env_var(
"HARMONY_NATS_SITE_2",
));
let site1_domain = site1_topo.get_internal_domain().await.unwrap().unwrap();
let site2_domain = site2_topo.get_internal_domain().await.unwrap().unwrap();
let site1_gateway = format!("nats-gateway.{}", site1_domain);
let site2_gateway = format!("nats-gateway.{}", site2_domain);
tokio::join!(
deploy_nats(
site1_topo,
"site-1",
vec![("site-2".to_string(), site2_gateway)]
),
deploy_nats(
site2_topo,
"site-2",
vec![("site-1".to_string(), site1_gateway)]
),
);
}
async fn deploy_nats<T: Topology + HelmCommand + TlsRouter + 'static>(
topology: T,
cluster_name: &str,
remote_gateways: Vec<(String, String)>,
) {
topology.ensure_ready().await.unwrap();
let mut gateway_gateways = String::new();
for (name, url) in remote_gateways {
gateway_gateways.push_str(&format!(
r#"
- name: {name}
urls:
- nats://{url}:7222"#
));
}
let values_yaml = Some(format!(
r#"config:
cluster:
enabled: true
@@ -25,16 +68,31 @@ async fn main() {
leafnodes:
enabled: false
# port: 7422
websocket:
enabled: true
ingress:
enabled: true
className: openshift-default
pathType: Prefix
hosts:
- nats-ws.{}
gateway:
enabled: false
# name: my-gateway
# port: 7522
enabled: true
name: {}
port: 7222
gateways: {}
service:
ports:
gateway:
enabled: true
natsBox:
container:
image:
tag: nonroot"#
.to_string(),
);
tag: nonroot"#,
topology.get_internal_domain().await.unwrap().unwrap(),
cluster_name,
gateway_gateways,
));
let namespace = "nats";
let nats = HelmChartScore {
namespace: Some(NonBlankString::from_str(namespace).unwrap()),
@@ -52,14 +110,9 @@ natsBox:
)),
};
harmony_cli::run(
Inventory::autoload(),
K8sAnywhereTopology::from_env(),
vec![Box::new(nats)],
None,
)
.await
.unwrap();
harmony_cli::run(Inventory::autoload(), topology, vec![Box::new(nats)], None)
.await
.unwrap();
info!(
"Enjoy! You can test your nats cluster by running : `kubectl exec -n {namespace} -it deployment/nats-box -- nats pub test hi`"

1
examples/okd_installation/Cargo.toml
View File

@@ -20,3 +20,4 @@ env_logger = { workspace = true }
url = { workspace = true }
serde.workspace = true
brocade = { path = "../../brocade" }
schemars = "0.8"

26
examples/okd_installation/src/topology.rs
View File

@@ -2,19 +2,24 @@ use brocade::BrocadeOptions;
use cidr::Ipv4Cidr;
use harmony::{
hardware::{Location, SwitchGroup},
infra::{brocade::BrocadeSwitchClient, opnsense::OPNSenseManagementInterface},
infra::{
brocade::{BrocadeSwitchClient, BrocadeSwitchConfig},
opnsense::OPNSenseManagementInterface,
},
inventory::Inventory,
modules::brocade::BrocadeSwitchAuth,
topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
};
use harmony_macros::{ip, ipv4};
use harmony_secret::{Secret, SecretManager};
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use std::{
net::IpAddr,
sync::{Arc, OnceLock},
};
#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
#[derive(Secret, Serialize, Deserialize, JsonSchema, Debug, PartialEq)]
struct OPNSenseFirewallConfig {
username: String,
password: String,
@@ -35,12 +40,11 @@ pub async fn get_topology() -> HAClusterTopology {
dry_run: *harmony::config::DRY_RUN,
..Default::default()
};
let switch_client = BrocadeSwitchClient::init(
&switches,
&switch_auth.username,
&switch_auth.password,
brocade_options,
)
let switch_client = BrocadeSwitchClient::init(BrocadeSwitchConfig {
ips: switches,
auth: switch_auth,
options: brocade_options,
})
.await
.expect("Failed to connect to switch");
@@ -102,9 +106,3 @@ pub fn get_inventory() -> Inventory {
control_plane_host: vec![],
}
}
#[derive(Secret, Serialize, Deserialize, Debug)]
pub struct BrocadeSwitchAuth {
pub username: String,
pub password: String,
}

1
examples/okd_pxe/Cargo.toml
View File

@@ -20,3 +20,4 @@ env_logger = { workspace = true }
url = { workspace = true }
serde.workspace = true
brocade = { path = "../../brocade" }
schemars = "0.8"

26
examples/okd_pxe/src/topology.rs
View File

@@ -3,13 +3,16 @@ use cidr::Ipv4Cidr;
use harmony::{
config::secret::OPNSenseFirewallCredentials,
hardware::{Location, SwitchGroup},
infra::{brocade::BrocadeSwitchClient, opnsense::OPNSenseManagementInterface},
infra::{
brocade::{BrocadeSwitchClient, BrocadeSwitchConfig},
opnsense::OPNSenseManagementInterface,
},
inventory::Inventory,
modules::brocade::BrocadeSwitchAuth,
topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
};
use harmony_macros::{ip, ipv4};
use harmony_secret::{Secret, SecretManager};
use serde::{Deserialize, Serialize};
use harmony_secret::SecretManager;
use std::{
net::IpAddr,
sync::{Arc, OnceLock},
@@ -30,12 +33,11 @@ pub async fn get_topology() -> HAClusterTopology {
dry_run: *harmony::config::DRY_RUN,
..Default::default()
};
let switch_client = BrocadeSwitchClient::init(
&switches,
&switch_auth.username,
&switch_auth.password,
brocade_options,
)
let switch_client = BrocadeSwitchClient::init(BrocadeSwitchConfig {
ips: switches,
auth: switch_auth,
options: brocade_options,
})
.await
.expect("Failed to connect to switch");
@@ -97,9 +99,3 @@ pub fn get_inventory() -> Inventory {
control_plane_host: vec![],
}
}
#[derive(Secret, Serialize, Deserialize, Debug)]
pub struct BrocadeSwitchAuth {
pub username: String,
pub password: String,
}

2
examples/openbao/src/main.rs
View File

@@ -56,6 +56,8 @@ async fn main() {
)),
};
// TODO exec pod commands to initialize secret store if not already done
harmony_cli::run(
Inventory::autoload(),
K8sAnywhereTopology::from_env(),

1
examples/opnsense/Cargo.toml
View File

@@ -19,3 +19,4 @@ url = { workspace = true }
harmony_secret = { path = "../../harmony_secret" }
brocade = { path = "../../brocade" }
serde = { workspace = true }
schemars = "0.8"

3
examples/opnsense/src/main.rs
View File

@@ -7,6 +7,7 @@ use harmony::{
};
use harmony_macros::{ip, ipv4};
use harmony_secret::{Secret, SecretManager};
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
#[tokio::main]
@@ -70,7 +71,7 @@ async fn main() {
.unwrap();
}
#[derive(Secret, Serialize, Deserialize, Debug)]
#[derive(Secret, Serialize, Deserialize, JsonSchema, Debug)]
pub struct BrocadeSwitchAuth {
pub username: String,
pub password: String,

6
examples/nanodc/Cargo.toml → examples/sttest/Cargo.toml
View File

@@ -1,5 +1,5 @@
[package]
name = "example-nanodc"
name = "sttest"
edition = "2024"
version.workspace = true
readme.workspace = true
@@ -8,14 +8,16 @@ publish = false
[dependencies]
harmony = { path = "../../harmony" }
harmony_tui = { path = "../../harmony_tui" }
harmony_cli = { path = "../../harmony_cli" }
harmony_types = { path = "../../harmony_types" }
cidr = { workspace = true }
tokio = { workspace = true }
harmony_macros = { path = "../../harmony_macros" }
harmony_secret = { path = "../../harmony_secret" }
harmony_secret_derive = { path = "../../harmony_secret_derive" }
log = { workspace = true }
env_logger = { workspace = true }
url = { workspace = true }
serde = { workspace = true }
brocade = { path = "../../brocade" }
schemars = "0.8"

1
examples/sttest/data Symbolic link
View File

@@ -0,0 +1 @@
../../data/

4
examples/sttest/env.sh Normal file
View File

@@ -0,0 +1,4 @@
export HARMONY_SECRET_NAMESPACE=sttest0
export HARMONY_SECRET_STORE=file
export HARMONY_DATABASE_URL=sqlite://harmony_sttest0.sqlite
export RUST_LOG=info

41
examples/sttest/src/main.rs Normal file
View File

@@ -0,0 +1,41 @@
mod topology;
use crate::topology::{get_inventory, get_topology};
use harmony::{
config::secret::SshKeyPair,
data::{FileContent, FilePath},
modules::{
inventory::HarmonyDiscoveryStrategy,
okd::{installation::OKDInstallationPipeline, ipxe::OKDIpxeScore},
},
score::Score,
topology::HAClusterTopology,
};
use harmony_secret::SecretManager;
#[tokio::main]
async fn main() {
// env_logger::init();
let inventory = get_inventory();
let topology = get_topology().await;
let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
let mut scores: Vec<Box<dyn Score<HAClusterTopology>>> = vec![Box::new(OKDIpxeScore {
kickstart_filename: "inventory.kickstart".to_string(),
harmony_inventory_agent: "harmony_inventory_agent".to_string(),
cluster_pubkey: FileContent {
path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
content: ssh_key.public,
},
})];
// let mut scores: Vec<Box<dyn Score<HAClusterTopology>>> = vec![];
scores
.append(&mut OKDInstallationPipeline::get_all_scores(HarmonyDiscoveryStrategy::MDNS).await);
harmony_cli::run(inventory, topology, scores, None)
.await
.unwrap();
}

100
examples/sttest/src/topology.rs Normal file
View File

@@ -0,0 +1,100 @@
use cidr::Ipv4Cidr;
use harmony::{
hardware::{Location, SwitchGroup},
infra::{brocade::UnmanagedSwitch, opnsense::OPNSenseManagementInterface},
inventory::Inventory,
topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
};
use harmony_macros::{ip, ipv4};
use harmony_secret::{Secret, SecretManager};
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use std::{
net::IpAddr,
sync::{Arc, OnceLock},
};
#[derive(Secret, Serialize, Deserialize, JsonSchema, Debug, PartialEq)]
struct OPNSenseFirewallConfig {
username: String,
password: String,
}
pub async fn get_topology() -> HAClusterTopology {
let firewall = harmony::topology::LogicalHost {
ip: ip!("192.168.40.1"),
name: String::from("fw0"),
};
let switch_client = UnmanagedSwitch::init()
.await
.expect("Failed to connect to switch");
let switch_client = Arc::new(switch_client);
let config = SecretManager::get_or_prompt::<OPNSenseFirewallConfig>().await;
let config = config.unwrap();
let opnsense = Arc::new(
harmony::infra::opnsense::OPNSenseFirewall::new(
firewall,
None,
&config.username,
&config.password,
)
.await,
);
let lan_subnet = ipv4!("192.168.40.0");
let gateway_ipv4 = ipv4!("192.168.40.1");
let gateway_ip = IpAddr::V4(gateway_ipv4);
harmony::topology::HAClusterTopology {
kubeconfig: None,
domain_name: "sttest0.harmony.mcd".to_string(),
router: Arc::new(UnmanagedRouter::new(
gateway_ip,
Ipv4Cidr::new(lan_subnet, 24).unwrap(),
)),
load_balancer: opnsense.clone(),
firewall: opnsense.clone(),
tftp_server: opnsense.clone(),
http_server: opnsense.clone(),
dhcp_server: opnsense.clone(),
dns_server: opnsense.clone(),
control_plane: vec![
LogicalHost {
ip: ip!("192.168.40.20"),
name: "cp0".to_string(),
},
LogicalHost {
ip: ip!("192.168.40.21"),
name: "cp1".to_string(),
},
LogicalHost {
ip: ip!("192.168.40.22"),
name: "cp2".to_string(),
},
],
bootstrap_host: LogicalHost {
ip: ip!("192.168.40.10"),
name: "bootstrap".to_string(),
},
workers: vec![LogicalHost {
ip: ip!("192.168.40.30"),
name: "wk0".to_string(),
}],
node_exporter: opnsense.clone(),
switch_client: switch_client.clone(),
network_manager: OnceLock::new(),
}
}
pub fn get_inventory() -> Inventory {
Inventory {
location: Location::new("Sylvain's basement".to_string(), "Charlesbourg".to_string()),
switch: SwitchGroup::from([]),
firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
storage_host: vec![],
worker_host: vec![],
control_plane_host: vec![],
}
}

4
examples/try_rust_webapp/Cargo.toml
View File

@@ -5,6 +5,10 @@ version.workspace = true
readme.workspace = true
license.workspace = true
[[example]]
name = "try_rust_webapp"
path = "src/main.rs"
[dependencies]
harmony = { path = "../../harmony" }
harmony_cli = { path = "../../harmony_cli" }

4
harmony/Cargo.toml
View File

@@ -30,6 +30,7 @@ opnsense-config = { path = "../opnsense-config" }
opnsense-config-xml = { path = "../opnsense-config-xml" }
harmony_macros = { path = "../harmony_macros" }
harmony_types = { path = "../harmony_types" }
harmony_execution = { path = "../harmony_execution" }
uuid.workspace = true
url.workspace = true
kube = { workspace = true, features = ["derive"] }
@@ -47,7 +48,7 @@ temp-file = "0.1.9"
convert_case.workspace = true
email_address = "0.2.9"
chrono.workspace = true
fqdn = { version = "0.4.6", features = [
fqdn = { version = "0.5.2", features = [
"domain-label-cannot-start-or-end-with-hyphen",
"domain-label-length-limited-to-63",
"domain-name-without-special-chars",
@@ -79,6 +80,7 @@ sqlx.workspace = true
inquire.workspace = true
brocade = { path = "../brocade" }
option-ext = "0.2.0"
tokio-retry = "0.3.0"
[dev-dependencies]
pretty_assertions.workspace = true

7
harmony/src/domain/config/secret.rs
View File

@@ -1,20 +1,21 @@
use harmony_secret_derive::Secret;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
#[derive(Secret, Serialize, Deserialize, JsonSchema, Debug, PartialEq)]
pub struct OPNSenseFirewallCredentials {
pub username: String,
pub password: String,
}
// TODO we need a better way to handle multiple "instances" of the same secret structure.
#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
#[derive(Secret, Serialize, Deserialize, JsonSchema, Debug, PartialEq)]
pub struct SshKeyPair {
pub private: String,
pub public: String,
}
#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
#[derive(Secret, Serialize, Deserialize, JsonSchema, Debug, PartialEq)]
pub struct RedhatSecret {
pub pull_secret: String,
}

11
harmony/src/domain/hardware/mod.rs
View File

@@ -108,11 +108,18 @@ impl PhysicalHost {
};
let storage_summary = if drive_count > 1 {
let drive_sizes = self
.storage
.iter()
.map(|d| format_storage(d.size_bytes))
.collect::<Vec<_>>()
.join(", ");
format!(
"{} Storage ({}x {})",
"{} Storage ({} Disks [{}])",
format_storage(total_storage_bytes),
drive_count,
first_drive_model
drive_sizes
)
} else {
format!(

10
harmony/src/domain/inventory/repository.rs
View File

@@ -1,6 +1,8 @@
use async_trait::async_trait;
use crate::{hardware::PhysicalHost, interpret::InterpretError, inventory::HostRole};
use crate::{
hardware::PhysicalHost, interpret::InterpretError, inventory::HostRole, topology::HostConfig,
};
/// Errors that can occur within the repository layer.
#[derive(thiserror::Error, Debug)]
@@ -29,10 +31,14 @@ pub trait InventoryRepository: Send + Sync + 'static {
async fn save(&self, host: &PhysicalHost) -> Result<(), RepoError>;
async fn get_latest_by_id(&self, host_id: &str) -> Result<Option<PhysicalHost>, RepoError>;
async fn get_all_hosts(&self) -> Result<Vec<PhysicalHost>, RepoError>;
async fn get_host_for_role(&self, role: &HostRole) -> Result<Vec<PhysicalHost>, RepoError>;
async fn get_hosts_for_role(
&self,
role: &HostRole,
) -> Result<Vec<(PhysicalHost, HostConfig)>, RepoError>;
async fn save_role_mapping(
&self,
role: &HostRole,
host: &PhysicalHost,
installation_device: &String,
) -> Result<(), RepoError>;
}

58
harmony/src/domain/topology/decentralized.rs Normal file
View File

@@ -0,0 +1,58 @@
use async_trait::async_trait;
use log::info;
use crate::topology::{
K8sAnywhereConfig, K8sAnywhereTopology, PreparationError, PreparationOutcome, Topology,
};
pub struct DecentralizedTopology<T> {
pub sites: Vec<T>,
}
#[async_trait]
impl<T: Topology + Send + Sync> Topology for DecentralizedTopology<T> {
fn name(&self) -> &str {
"DecentralizedTopology"
}
async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
let mut details = Vec::new();
for site in &self.sites {
let outcome = site.ensure_ready().await?;
match outcome {
PreparationOutcome::Success { details: d } => {
details.push(d);
}
PreparationOutcome::Noop => {
details.push("site ready Noop".to_string());
info!("site ready");
}
}
}
Ok(PreparationOutcome::Success {
details: details.join(","),
})
}
}
impl DecentralizedTopology<K8sAnywhereTopology> {
pub fn from_env() -> Self {
let mut sites = Vec::new();
for i in 1.. {
let var = format!("HARMONY_DECENTRALIZED_TOPOLOGY_K8S_SITE_{}", i);
match std::env::var(&var) {
Ok(_) => {
let cfg = K8sAnywhereConfig::remote_k8s_from_env_var(&var);
sites.push(K8sAnywhereTopology::with_config(cfg));
}
Err(_) => break,
}
}
Self { sites }
}
}

21
harmony/src/domain/topology/ha_cluster.rs
View File

@@ -1,5 +1,4 @@
use async_trait::async_trait;
use brocade::PortOperatingMode;
use harmony_macros::ip;
use harmony_types::{
id::Id,
@@ -9,9 +8,9 @@ use harmony_types::{
use log::debug;
use log::info;
use crate::topology::PxeOptions;
use crate::{data::FileContent, executors::ExecutorError, topology::node_exporter::NodeExporter};
use crate::{infra::network_manager::OpenShiftNmStateNetworkManager, topology::PortConfig};
use crate::{modules::inventory::HarmonyDiscoveryStrategy, topology::PxeOptions};
use super::{
DHCPStaticEntry, DhcpServer, DnsRecord, DnsRecordType, DnsServer, Firewall, HostNetworkConfig,
@@ -301,10 +300,10 @@ impl Switch for HAClusterTopology {
Ok(())
}
async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {
async fn clear_port_channel(&self, _ids: &Vec<Id>) -> Result<(), SwitchError> {
todo!()
}
async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError> {
async fn configure_interface(&self, _ports: &Vec<PortConfig>) -> Result<(), SwitchError> {
todo!()
}
}
@@ -322,7 +321,15 @@ impl NetworkManager for HAClusterTopology {
self.network_manager().await.configure_bond(config).await
}
//TODO add snmp here
async fn configure_bond_on_primary_interface(
&self,
config: &HostNetworkConfig,
) -> Result<(), NetworkError> {
self.network_manager()
.await
.configure_bond_on_primary_interface(config)
.await
}
}
#[async_trait]
@@ -562,10 +569,10 @@ impl SwitchClient for DummyInfra {
) -> Result<u8, SwitchError> {
unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
}
async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {
async fn clear_port_channel(&self, _ids: &Vec<Id>) -> Result<(), SwitchError> {
todo!()
}
async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError> {
async fn configure_interface(&self, _ports: &Vec<PortConfig>) -> Result<(), SwitchError> {
todo!()
}
}

6
harmony/src/domain/topology/helm_command.rs
View File

@@ -1 +1,5 @@
pub trait HelmCommand {}
use std::process::Command;
pub trait HelmCommand {
fn get_helm_command(&self) -> Command;
}

9
harmony/src/domain/topology/host_binding.rs
View File

@@ -7,12 +7,17 @@ use super::LogicalHost;
/// Represents the binding between a LogicalHost and a PhysicalHost.
///
///
/// This is the only construct that directly maps a logical host to a physical host.
/// It serves as a bridge between the logical cluster structure and the physical infrastructure.
#[derive(Debug, new, Clone, Serialize)]
pub struct HostBinding {
/// Reference to the LogicalHost
pub logical_host: LogicalHost,
/// Reference to the PhysicalHost
pub physical_host: PhysicalHost,
pub host_config: HostConfig,
}
#[derive(Debug, new, Clone, Serialize)]
pub struct HostConfig {
pub installation_device: Option<String>,
}

1044
harmony/src/domain/topology/k8s.rs
View File

File diff suppressed because it is too large Load Diff

133
harmony/src/domain/topology/k8s/bundle.rs Normal file
View File

@@ -0,0 +1,133 @@
//! Resource Bundle Pattern Implementation
//!
//! This module implements the Resource Bundle pattern for managing groups of
//! Kubernetes resources that form a logical unit of work.
//!
//! ## Purpose
//!
//! The ResourceBundle pattern addresses the need to manage ephemeral privileged
//! pods along with their platform-specific security requirements (e.g., OpenShift
//! Security Context Constraints).
//!
//! ## Use Cases
//!
//! - Writing files to node filesystems (e.g., NetworkManager configurations for
//! network bonding as described in ADR-019)
//! - Running privileged commands on nodes (e.g., reboots, system configuration)
//!
//! ## Benefits
//!
//! - **Separation of Concerns**: Client code doesn't need to know about
//! platform-specific RBAC requirements
//! - **Atomic Operations**: Resources are applied and deleted as a unit
//! - **Clean Abstractions**: Privileged operations are encapsulated in bundles
//! rather than scattered throughout client methods
//!
//! ## Example
//!
//! ```rust,no_run
//! use harmony::topology::k8s::{K8sClient, helper};
//! use harmony::topology::KubernetesDistribution;
//!
//! async fn write_network_config(client: &K8sClient, node: &str) {
//! // Create a bundle with platform-specific RBAC
//! let bundle = helper::build_privileged_bundle(
//! helper::PrivilegedPodConfig {
//! name: "network-config".to_string(),
//! namespace: "default".to_string(),
//! node_name: node.to_string(),
//! // ... other config
//! ..Default::default()
//! },
//! &KubernetesDistribution::OpenshiftFamily,
//! );
//!
//! // Apply all resources (RBAC + Pod) atomically
//! bundle.apply(client).await.unwrap();
//!
//! // ... wait for completion ...
//!
//! // Cleanup all resources
//! bundle.delete(client).await.unwrap();
//! }
//! ```
use kube::{Error, Resource, ResourceExt, api::DynamicObject};
use serde::Serialize;
use serde_json;
use crate::domain::topology::k8s::K8sClient;
/// A ResourceBundle represents a logical unit of work consisting of multiple
/// Kubernetes resources that should be applied or deleted together.
///
/// This pattern is useful for managing ephemeral privileged pods along with
/// their required RBAC bindings (e.g., OpenShift SCC bindings).
#[derive(Debug)]
pub struct ResourceBundle {
pub resources: Vec<DynamicObject>,
}
impl ResourceBundle {
pub fn new() -> Self {
Self {
resources: Vec::new(),
}
}
/// Add a Kubernetes resource to this bundle.
/// The resource is converted to a DynamicObject for generic handling.
pub fn add<K>(&mut self, resource: K)
where
K: Resource + Serialize,
<K as Resource>::DynamicType: Default,
{
// Convert the typed resource to JSON, then to DynamicObject
let json = serde_json::to_value(&resource).expect("Failed to serialize resource");
let mut obj: DynamicObject =
serde_json::from_value(json).expect("Failed to convert to DynamicObject");
// Ensure type metadata is set
if obj.types.is_none() {
let api_version = Default::default();
let kind = Default::default();
let gvk = K::api_version(&api_version);
let kind = K::kind(&kind);
obj.types = Some(kube::api::TypeMeta {
api_version: gvk.to_string(),
kind: kind.to_string(),
});
}
self.resources.push(obj);
}
/// Apply all resources in this bundle to the cluster.
/// Resources are applied in the order they were added.
pub async fn apply(&self, client: &K8sClient) -> Result<(), Error> {
for res in &self.resources {
let namespace = res.namespace();
client
.apply_dynamic(res, namespace.as_deref(), true)
.await?;
}
Ok(())
}
/// Delete all resources in this bundle from the cluster.
/// Resources are deleted in reverse order to respect dependencies.
pub async fn delete(&self, client: &K8sClient) -> Result<(), Error> {
// FIXME delete all in parallel and retry using kube::client::retry::RetryPolicy
for res in self.resources.iter().rev() {
let api = client.get_api_for_dynamic_object(res, res.namespace().as_deref())?;
let name = res.name_any();
// FIXME this swallows all errors. Swallowing a 404 is ok but other errors must be
// handled properly (such as retrying). A normal error case is when we delete a
// resource bundle with dependencies between various resources. Such as a pod with a
// dependency on a ClusterRoleBinding. Trying to delete the ClusterRoleBinding first
// is expected to fail
let _ = api.delete(&name, &kube::api::DeleteParams::default()).await;
}
Ok(())
}
}

1
harmony/src/domain/topology/k8s/config.rs Normal file
View File

@@ -0,0 +1 @@
pub const PRIVILEGED_POD_IMAGE: &str = "hub.nationtech.io/redhat/ubi10:latest";

601
harmony/src/domain/topology/k8s/helper.rs Normal file
View File

@@ -0,0 +1,601 @@
use std::collections::BTreeMap;
use std::time::Duration;
use crate::topology::KubernetesDistribution;
use super::bundle::ResourceBundle;
use super::config::PRIVILEGED_POD_IMAGE;
use k8s_openapi::api::core::v1::{
Container, HostPathVolumeSource, Pod, PodSpec, SecurityContext, Volume, VolumeMount,
};
use k8s_openapi::api::rbac::v1::{ClusterRoleBinding, RoleRef, Subject};
use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta;
use kube::error::DiscoveryError;
use log::{debug, error, info, warn};
#[derive(Debug)]
pub struct PrivilegedPodConfig {
pub name: String,
pub namespace: String,
pub node_name: String,
pub container_name: String,
pub command: Vec<String>,
pub volumes: Vec<Volume>,
pub volume_mounts: Vec<VolumeMount>,
pub host_pid: bool,
pub host_network: bool,
}
impl Default for PrivilegedPodConfig {
fn default() -> Self {
Self {
name: "privileged-pod".to_string(),
namespace: "harmony".to_string(),
node_name: "".to_string(),
container_name: "privileged-container".to_string(),
command: vec![],
volumes: vec![],
volume_mounts: vec![],
host_pid: false,
host_network: false,
}
}
}
pub fn build_privileged_pod(
config: PrivilegedPodConfig,
k8s_distribution: &KubernetesDistribution,
) -> Pod {
let annotations = match k8s_distribution {
KubernetesDistribution::OpenshiftFamily => Some(BTreeMap::from([
("openshift.io/scc".to_string(), "privileged".to_string()),
(
"openshift.io/required-scc".to_string(),
"privileged".to_string(),
),
])),
_ => None,
};
Pod {
metadata: ObjectMeta {
name: Some(config.name),
namespace: Some(config.namespace),
annotations,
..Default::default()
},
spec: Some(PodSpec {
node_name: Some(config.node_name),
restart_policy: Some("Never".to_string()),
host_pid: Some(config.host_pid),
host_network: Some(config.host_network),
containers: vec![Container {
name: config.container_name,
image: Some(PRIVILEGED_POD_IMAGE.to_string()),
command: Some(config.command),
security_context: Some(SecurityContext {
privileged: Some(true),
..Default::default()
}),
volume_mounts: Some(config.volume_mounts),
..Default::default()
}],
volumes: Some(config.volumes),
..Default::default()
}),
..Default::default()
}
}
pub fn host_root_volume() -> (Volume, VolumeMount) {
(
Volume {
name: "host".to_string(),
host_path: Some(HostPathVolumeSource {
path: "/".to_string(),
..Default::default()
}),
..Default::default()
},
VolumeMount {
name: "host".to_string(),
mount_path: "/host".to_string(),
..Default::default()
},
)
}
/// Build a ResourceBundle containing a privileged pod and any required RBAC.
///
/// This function implements the Resource Bundle pattern to encapsulate platform-specific
/// security requirements for running privileged operations on nodes.
///
/// # Platform-Specific Behavior
///
/// - **OpenShift**: Creates a ClusterRoleBinding to grant the default ServiceAccount
/// access to the `system:openshift:scc:privileged` ClusterRole, which allows the pod
/// to use the privileged Security Context Constraint (SCC).
/// - **Standard Kubernetes/K3s**: Only creates the Pod resource, as these distributions
/// use standard PodSecurityPolicy or don't enforce additional security constraints.
///
/// # Arguments
///
/// * `config` - Configuration for the privileged pod (name, namespace, command, etc.)
/// * `k8s_distribution` - The detected Kubernetes distribution to determine RBAC requirements
///
/// # Returns
///
/// A `ResourceBundle` containing 1-2 resources:
/// - ClusterRoleBinding (OpenShift only)
/// - Pod (all distributions)
///
/// # Example
///
/// ```rust,no_run
/// # use harmony::topology::k8s::helper::{build_privileged_bundle, PrivilegedPodConfig};
/// # use harmony::topology::KubernetesDistribution;
/// let bundle = build_privileged_bundle(
/// PrivilegedPodConfig {
/// name: "network-setup".to_string(),
/// namespace: "default".to_string(),
/// node_name: "worker-01".to_string(),
/// container_name: "setup".to_string(),
/// command: vec!["nmcli".to_string(), "connection".to_string(), "reload".to_string()],
/// ..Default::default()
/// },
/// &KubernetesDistribution::OpenshiftFamily,
/// );
/// // Bundle now contains ClusterRoleBinding + Pod
/// ```
pub fn build_privileged_bundle(
config: PrivilegedPodConfig,
k8s_distribution: &KubernetesDistribution,
) -> ResourceBundle {
debug!(
"Building privileged bundle for config {config:#?} on distribution {k8s_distribution:?}"
);
let mut bundle = ResourceBundle::new();
let pod_name = config.name.clone();
let namespace = config.namespace.clone();
// 1. On OpenShift, create RBAC binding to privileged SCC
if let KubernetesDistribution::OpenshiftFamily = k8s_distribution {
// The default ServiceAccount needs to be bound to the privileged SCC
// via the system:openshift:scc:privileged ClusterRole
let crb = ClusterRoleBinding {
metadata: ObjectMeta {
name: Some(format!("{}-scc-binding", pod_name)),
..Default::default()
},
role_ref: RoleRef {
api_group: "rbac.authorization.k8s.io".to_string(),
kind: "ClusterRole".to_string(),
name: "system:openshift:scc:privileged".to_string(),
},
subjects: Some(vec![Subject {
kind: "ServiceAccount".to_string(),
name: "default".to_string(),
namespace: Some(namespace.clone()),
api_group: None,
..Default::default()
}]),
};
bundle.add(crb);
}
// 2. Build the privileged pod
let pod = build_privileged_pod(config, k8s_distribution);
bundle.add(pod);
bundle
}
/// Action to take when a drain operation times out.
pub enum DrainTimeoutAction {
/// Accept the partial drain and continue
Accept,
/// Retry the drain for another timeout period
Retry,
/// Abort the drain operation
Abort,
}
/// Prompts the user to confirm acceptance of a partial drain.
///
/// Returns `Ok(true)` if the user confirms acceptance, `Ok(false)` if the user
/// chooses to retry or abort, and `Err` if the prompt system fails entirely.
pub fn prompt_drain_timeout_action(
node_name: &str,
pending_count: usize,
timeout_duration: Duration,
) -> Result<DrainTimeoutAction, kube::Error> {
let prompt_msg = format!(
"Drain operation timed out on node '{}' with {} pod(s) remaining. What would you like to do?",
node_name, pending_count
);
loop {
let choices = vec![
"Accept drain failure (requires confirmation)".to_string(),
format!("Retry drain for another {:?}", timeout_duration),
"Abort operation".to_string(),
];
let selection = inquire::Select::new(&prompt_msg, choices)
.with_help_message("Use arrow keys to navigate, Enter to select")
.prompt()
.map_err(|e| {
kube::Error::Discovery(DiscoveryError::MissingResource(format!(
"Prompt failed: {}",
e
)))
})?;
if selection.starts_with("Accept") {
// Require typed confirmation - retry until correct or user cancels
let required_confirmation = format!("yes-accept-drain:{}={}", node_name, pending_count);
let confirmation_prompt = format!(
"To accept this partial drain, type exactly: {}",
required_confirmation
);
match inquire::Text::new(&confirmation_prompt)
.with_help_message(&format!(
"This action acknowledges {} pods will remain on the node",
pending_count
))
.prompt()
{
Ok(input) if input == required_confirmation => {
warn!(
"User accepted partial drain of node '{}' with {} pods remaining (confirmation: {})",
node_name, pending_count, required_confirmation
);
return Ok(DrainTimeoutAction::Accept);
}
Ok(input) => {
warn!(
"Confirmation failed. Expected '{}', got '{}'. Please try again.",
required_confirmation, input
);
}
Err(e) => {
// User cancelled (Ctrl+C) or prompt system failed
error!("Confirmation prompt cancelled or failed: {}", e);
return Ok(DrainTimeoutAction::Abort);
}
}
} else if selection.starts_with("Retry") {
info!(
"User chose to retry drain operation for another {:?}",
timeout_duration
);
return Ok(DrainTimeoutAction::Retry);
} else {
error!("Drain operation aborted by user");
return Ok(DrainTimeoutAction::Abort);
}
}
}
#[cfg(test)]
mod tests {
use super::*;
use pretty_assertions::assert_eq;
#[test]
fn test_host_root_volume() {
let (volume, mount) = host_root_volume();
assert_eq!(volume.name, "host");
assert_eq!(volume.host_path.as_ref().unwrap().path, "/");
assert_eq!(mount.name, "host");
assert_eq!(mount.mount_path, "/host");
}
#[test]
fn test_build_privileged_pod_minimal() {
let pod = build_privileged_pod(
PrivilegedPodConfig {
name: "minimal-pod".to_string(),
namespace: "kube-system".to_string(),
node_name: "node-123".to_string(),
container_name: "debug-container".to_string(),
command: vec!["sleep".to_string(), "3600".to_string()],
..Default::default()
},
&KubernetesDistribution::Default,
);
assert_eq!(pod.metadata.name, Some("minimal-pod".to_string()));
assert_eq!(pod.metadata.namespace, Some("kube-system".to_string()));
let spec = pod.spec.as_ref().expect("Pod spec should be present");
assert_eq!(spec.node_name, Some("node-123".to_string()));
assert_eq!(spec.restart_policy, Some("Never".to_string()));
assert_eq!(spec.host_pid, Some(false));
assert_eq!(spec.host_network, Some(false));
assert_eq!(spec.containers.len(), 1);
let container = &spec.containers[0];
assert_eq!(container.name, "debug-container");
assert_eq!(container.image, Some(PRIVILEGED_POD_IMAGE.to_string()));
assert_eq!(
container.command,
Some(vec!["sleep".to_string(), "3600".to_string()])
);
// Security context check
let sec_ctx = container
.security_context
.as_ref()
.expect("Security context missing");
assert_eq!(sec_ctx.privileged, Some(true));
}
#[test]
fn test_build_privileged_pod_with_volumes_and_host_access() {
let (host_vol, host_mount) = host_root_volume();
let pod = build_privileged_pod(
PrivilegedPodConfig {
name: "full-pod".to_string(),
namespace: "default".to_string(),
node_name: "node-1".to_string(),
container_name: "runner".to_string(),
command: vec!["/bin/sh".to_string()],
volumes: vec![host_vol.clone()],
volume_mounts: vec![host_mount.clone()],
host_pid: true,
host_network: true,
},
&KubernetesDistribution::Default,
);
let spec = pod.spec.as_ref().expect("Pod spec should be present");
assert_eq!(spec.host_pid, Some(true));
assert_eq!(spec.host_network, Some(true));
// Check volumes in Spec
let volumes = spec.volumes.as_ref().expect("Volumes should be present");
assert_eq!(volumes.len(), 1);
assert_eq!(volumes[0].name, "host");
// Check mounts in Container
let container = &spec.containers[0];
let mounts = container
.volume_mounts
.as_ref()
.expect("Mounts should be present");
assert_eq!(mounts.len(), 1);
assert_eq!(mounts[0].name, "host");
assert_eq!(mounts[0].mount_path, "/host");
}
#[test]
fn test_build_privileged_pod_structure_correctness() {
// This test validates that the construction logic puts things in the right places
// effectively validating the "template".
let custom_vol = Volume {
name: "custom-vol".to_string(),
..Default::default()
};
let custom_mount = VolumeMount {
name: "custom-vol".to_string(),
mount_path: "/custom".to_string(),
..Default::default()
};
let pod = build_privileged_pod(
PrivilegedPodConfig {
name: "structure-test".to_string(),
namespace: "test-ns".to_string(),
node_name: "test-node".to_string(),
container_name: "test-container".to_string(),
command: vec!["cmd".to_string()],
volumes: vec![custom_vol],
volume_mounts: vec![custom_mount],
..Default::default()
},
&KubernetesDistribution::Default,
);
// Validate structure depth
let spec = pod.spec.as_ref().unwrap();
// 1. Spec level fields
assert!(spec.node_name.is_some());
assert!(spec.volumes.is_some());
// 2. Container level fields
let container = &spec.containers[0];
assert!(container.security_context.is_some());
assert!(container.volume_mounts.is_some());
// 3. Nested fields
assert!(
container
.security_context
.as_ref()
.unwrap()
.privileged
.unwrap()
);
assert_eq!(spec.volumes.as_ref().unwrap()[0].name, "custom-vol");
assert_eq!(
container.volume_mounts.as_ref().unwrap()[0].mount_path,
"/custom"
);
}
#[test]
fn test_build_privileged_bundle_default_distribution() {
let bundle = build_privileged_bundle(
PrivilegedPodConfig {
name: "test-bundle".to_string(),
namespace: "test-ns".to_string(),
node_name: "node-1".to_string(),
container_name: "test-container".to_string(),
command: vec!["echo".to_string(), "hello".to_string()],
..Default::default()
},
&KubernetesDistribution::Default,
);
// For Default distribution, only the Pod should be in the bundle
assert_eq!(bundle.resources.len(), 1);
let pod_obj = &bundle.resources[0];
assert_eq!(pod_obj.metadata.name.as_deref(), Some("test-bundle"));
assert_eq!(pod_obj.metadata.namespace.as_deref(), Some("test-ns"));
}
#[test]
fn test_build_privileged_bundle_openshift_distribution() {
let bundle = build_privileged_bundle(
PrivilegedPodConfig {
name: "test-bundle-ocp".to_string(),
namespace: "test-ns".to_string(),
node_name: "node-1".to_string(),
container_name: "test-container".to_string(),
command: vec!["echo".to_string(), "hello".to_string()],
..Default::default()
},
&KubernetesDistribution::OpenshiftFamily,
);
// For OpenShift, both ClusterRoleBinding and Pod should be in the bundle
assert_eq!(bundle.resources.len(), 2);
// First resource should be the ClusterRoleBinding
let crb_obj = &bundle.resources[0];
assert_eq!(
crb_obj.metadata.name.as_deref(),
Some("test-bundle-ocp-scc-binding")
);
// Verify it's targeting the privileged SCC
if let Some(role_ref) = crb_obj.data.get("roleRef") {
assert_eq!(
role_ref.get("name").and_then(|v| v.as_str()),
Some("system:openshift:scc:privileged")
);
}
// Second resource should be the Pod
let pod_obj = &bundle.resources[1];
assert_eq!(pod_obj.metadata.name.as_deref(), Some("test-bundle-ocp"));
assert_eq!(pod_obj.metadata.namespace.as_deref(), Some("test-ns"));
}
#[test]
fn test_build_privileged_bundle_k3s_distribution() {
let bundle = build_privileged_bundle(
PrivilegedPodConfig {
name: "test-bundle-k3s".to_string(),
namespace: "test-ns".to_string(),
node_name: "node-1".to_string(),
container_name: "test-container".to_string(),
command: vec!["echo".to_string(), "hello".to_string()],
..Default::default()
},
&KubernetesDistribution::K3sFamily,
);
// For K3s, only the Pod should be in the bundle (no special SCC)
assert_eq!(bundle.resources.len(), 1);
let pod_obj = &bundle.resources[0];
assert_eq!(pod_obj.metadata.name.as_deref(), Some("test-bundle-k3s"));
}
#[test]
fn test_pod_yaml_rendering_expected() {
let pod = build_privileged_pod(
PrivilegedPodConfig {
name: "pod_name".to_string(),
namespace: "pod_namespace".to_string(),
node_name: "node name".to_string(),
container_name: "container name".to_string(),
command: vec!["command".to_string(), "argument".to_string()],
host_pid: true,
host_network: true,
..Default::default()
},
&KubernetesDistribution::Default,
);
assert_eq!(
&serde_yaml::to_string(&pod).unwrap(),
"apiVersion: v1
kind: Pod
metadata:
name: pod_name
namespace: pod_namespace
spec:
containers:
- command:
- command
- argument
image: hub.nationtech.io/redhat/ubi10:latest
name: container name
securityContext:
privileged: true
volumeMounts: []
hostNetwork: true
hostPID: true
nodeName: node name
restartPolicy: Never
volumes: []
"
);
}
#[test]
fn test_pod_yaml_rendering_openshift() {
let pod = build_privileged_pod(
PrivilegedPodConfig {
name: "pod_name".to_string(),
namespace: "pod_namespace".to_string(),
node_name: "node name".to_string(),
container_name: "container name".to_string(),
command: vec!["command".to_string(), "argument".to_string()],
host_pid: true,
host_network: true,
..Default::default()
},
&KubernetesDistribution::OpenshiftFamily,
);
assert_eq!(
&serde_yaml::to_string(&pod).unwrap(),
"apiVersion: v1
kind: Pod
metadata:
annotations:
openshift.io/required-scc: privileged
openshift.io/scc: privileged
name: pod_name
namespace: pod_namespace
spec:
containers:
- command:
- command
- argument
image: hub.nationtech.io/redhat/ubi10:latest
name: container name
securityContext:
privileged: true
volumeMounts: []
hostNetwork: true
hostPID: true
nodeName: node name
restartPolicy: Never
volumes: []
"
);
}
}

2586
harmony/src/domain/topology/k8s/mod.rs Normal file
View File

File diff suppressed because it is too large Load Diff

285
harmony/src/domain/topology/k8s_anywhere/k8s_anywhere.rs
View File

@@ -4,7 +4,7 @@ use async_trait::async_trait;
use base64::{Engine, engine::general_purpose};
use harmony_types::rfc1123::Rfc1123Name;
use k8s_openapi::api::{
core::v1::Secret,
core::v1::{Pod, Secret},
rbac::v1::{ClusterRoleBinding, RoleRef, Subject},
};
use kube::api::{DynamicObject, GroupVersionKind, ObjectMeta};
@@ -14,12 +14,18 @@ use tokio::sync::OnceCell;
use crate::{
executors::ExecutorError,
interpret::InterpretStatus,
interpret::{InterpretStatus, Outcome},
inventory::Inventory,
modules::{
cert_manager::{
capability::{CertificateManagement, CertificateManagementConfig},
crd::{
certificate::Certificate, issuer::Issuer,
score_k8s_certificate::K8sCertManagerCertificateScore,
score_k8s_issuer::K8sCertManagerIssuerScore,
},
operator::CertManagerOperatorScore,
score_cert_management::CertificateManagementScore,
},
k3d::K3DInstallationScore,
k8s::ingress::{K8sIngressScore, PathType},
@@ -39,7 +45,7 @@ use crate::{
service_monitor::ServiceMonitor,
},
},
okd::route::OKDTlsPassthroughScore,
okd::{crd::ingresses_config::Ingress as IngressResource, route::OKDTlsPassthroughScore},
prometheus::{
k8s_prometheus_alerting_score::K8sPrometheusCRDAlertingScore,
prometheus::PrometheusMonitoring, rhob_alerting_score::RHOBAlertingScore,
@@ -70,7 +76,7 @@ struct K8sState {
message: String,
}
#[derive(Debug, Clone)]
#[derive(Debug, Clone, Serialize)]
pub enum KubernetesDistribution {
OpenshiftFamily,
K3sFamily,
@@ -87,7 +93,6 @@ enum K8sSource {
pub struct K8sAnywhereTopology {
k8s_state: Arc<OnceCell<Option<K8sState>>>,
tenant_manager: Arc<OnceCell<K8sTenantManager>>,
k8s_distribution: Arc<OnceCell<KubernetesDistribution>>,
config: Arc<K8sAnywhereConfig>,
}
@@ -111,8 +116,32 @@ impl K8sclient for K8sAnywhereTopology {
#[async_trait]
impl TlsRouter for K8sAnywhereTopology {
async fn get_wildcard_domain(&self) -> Result<Option<String>, String> {
todo!()
async fn get_internal_domain(&self) -> Result<Option<String>, String> {
match self.get_k8s_distribution().await.map_err(|e| {
format!(
"Could not get internal domain, error getting k8s distribution : {}",
e.to_string()
)
})? {
KubernetesDistribution::OpenshiftFamily => {
let client = self.k8s_client().await?;
if let Some(ingress_config) = client
.get_resource::<IngressResource>("cluster", None)
.await
.map_err(|e| {
format!("Error attempting to get ingress config : {}", e.to_string())
})?
{
debug!("Found ingress config {:?}", ingress_config.spec);
Ok(ingress_config.spec.domain.clone())
} else {
warn!("Could not find a domain configured in this cluster");
Ok(None)
}
}
KubernetesDistribution::K3sFamily => todo!(),
KubernetesDistribution::Default => todo!(),
}
}
/// Returns the port that this router exposes externally.
@@ -365,22 +394,147 @@ impl Serialize for K8sAnywhereTopology {
#[async_trait]
impl CertificateManagement for K8sAnywhereTopology {
async fn install(
&self,
config: &CertificateManagementConfig,
) -> Result<PreparationOutcome, PreparationError> {
async fn install(&self) -> Result<Outcome, ExecutorError> {
let cert_management_operator = CertManagerOperatorScore::default();
cert_management_operator
.interpret(&Inventory::empty(), self)
.await
.map_err(|e| PreparationError { msg: e.to_string() })?;
Ok(PreparationOutcome::Success {
details: format!(
"Installed cert-manager into ns: {}",
cert_management_operator.namespace
),
})
.map_err(|e| ExecutorError::UnexpectedError(e.to_string()))?;
Ok(Outcome::success(format!(
"Installed cert-manager into ns: {}",
cert_management_operator.namespace
)))
}
async fn ensure_certificate_management_ready(&self) -> Result<Outcome, ExecutorError> {
let k8s_client = self.k8s_client().await.unwrap();
let pods = k8s_client
.list_all_resources_with_labels::<Pod>(
"app.kubernetes.io/component=controller,\
app.kubernetes.io/name=cert-manager",
)
.await
.map_err(|e| ExecutorError::UnexpectedError(format!("{}", e)))?;
if pods.is_empty() {
info!("cert-manager not installed (no controller pods found)");
self.install().await
} else {
trace!("cert-manager controller pods found: {:#?}", pods);
info!("cert-manager controller pods found");
Ok(Outcome::success("Certificate Management Ready".to_string()))
}
}
async fn create_issuer(
&self,
issuer_name: String,
config: &CertificateManagementConfig,
) -> Result<Outcome, ExecutorError> {
let issuer_score = K8sCertManagerIssuerScore {
issuer_name: issuer_name.clone(),
config: config.clone(),
};
issuer_score
.interpret(&Inventory::empty(), self)
.await
.map_err(|e| ExecutorError::UnexpectedError(e.to_string()))?;
Ok(Outcome::success(format!(
"issuer of kind {} is ready",
issuer_name
)))
}
async fn create_certificate(
&self,
cert_name: String,
issuer_name: String,
common_name: Option<String>,
dns_names: Option<Vec<String>>,
is_ca: Option<bool>,
config: &CertificateManagementConfig,
) -> Result<Outcome, ExecutorError> {
self.certificate_issuer_ready(
issuer_name.clone(),
self.k8s_client().await.unwrap(),
config,
)
.await?;
let cert = K8sCertManagerCertificateScore {
cert_name: cert_name,
issuer_name,
common_name,
is_ca,
dns_names,
config: config.clone(),
};
cert.interpret(&Inventory::empty(), self)
.await
.map_err(|e| ExecutorError::UnexpectedError(e.to_string()))?;
Ok(Outcome::success(format!(
"Created cert into ns: {:#?}",
config.namespace.clone()
)))
}
async fn get_ca_certificate(
&self,
cert_name: String,
config: &CertificateManagementConfig,
) -> Result<String, ExecutorError> {
let namespace = config.namespace.clone().unwrap();
let client = self.k8s_client().await.unwrap();
if let Some(certificate) = client
.get_resource::<Certificate>(&cert_name, Some(&namespace))
.await
.map_err(|e| ExecutorError::UnexpectedError(format!("{}", e)))?
{
let secret_name = certificate.spec.secret_name.clone();
debug!("Secret Name {:#?}", secret_name);
if let Some(secret) = client
.get_resource::<Secret>(&secret_name, Some(&namespace))
.await
.map_err(|e| {
ExecutorError::UnexpectedError(format!(
"secret {} not found in namespace {}: {}",
secret_name, namespace, e
))
})?
{
let ca_cert = secret
.data
.as_ref()
.and_then(|d| d.get("ca.crt"))
.ok_or_else(|| {
ExecutorError::UnexpectedError("Secret missing key 'ca.crt'".into())
})?;
let ca_cert = String::from_utf8(ca_cert.0.clone()).map_err(|_| {
ExecutorError::UnexpectedError("ca.crt is not valid UTF-8".into())
})?;
return Ok(ca_cert);
} else {
Err(ExecutorError::UnexpectedError(format!(
"Error getting secret associated with cert_name: {}, secret_name: {}",
cert_name, secret_name
)))
}
} else {
return Err(ExecutorError::UnexpectedError(format!(
"Certificate {} not found in namespace {}",
cert_name, namespace
)));
}
}
}
@@ -389,7 +543,6 @@ impl K8sAnywhereTopology {
Self {
k8s_state: Arc::new(OnceCell::new()),
tenant_manager: Arc::new(OnceCell::new()),
k8s_distribution: Arc::new(OnceCell::new()),
config: Arc::new(K8sAnywhereConfig::from_env()),
}
}
@@ -398,44 +551,40 @@ impl K8sAnywhereTopology {
Self {
k8s_state: Arc::new(OnceCell::new()),
tenant_manager: Arc::new(OnceCell::new()),
k8s_distribution: Arc::new(OnceCell::new()),
config: Arc::new(config),
}
}
pub async fn get_k8s_distribution(&self) -> Result<&KubernetesDistribution, PreparationError> {
self.k8s_distribution
.get_or_try_init(async || {
debug!("Trying to detect k8s distribution");
let client = self.k8s_client().await.unwrap();
pub async fn certificate_issuer_ready(
&self,
issuer_name: String,
k8s_client: Arc<K8sClient>,
config: &CertificateManagementConfig,
) -> Result<Outcome, ExecutorError> {
let ns = config
.namespace
.clone()
.ok_or_else(|| ExecutorError::UnexpectedError("namespace is required".to_string()))?;
let discovery = client.discovery().await.map_err(|e| {
PreparationError::new(format!("Could not discover API groups: {}", e))
})?;
let version = client.get_apiserver_version().await.map_err(|e| {
PreparationError::new(format!("Could not get server version: {}", e))
})?;
// OpenShift / OKD
if discovery
.groups()
.any(|g| g.name() == "project.openshift.io")
{
info!("Found KubernetesDistribution OpenshiftFamily");
return Ok(KubernetesDistribution::OpenshiftFamily);
}
// K3d / K3s
if version.git_version.contains("k3s") {
info!("Found KubernetesDistribution K3sFamily");
return Ok(KubernetesDistribution::K3sFamily);
}
info!("Could not identify KubernetesDistribution, using Default");
return Ok(KubernetesDistribution::Default);
})
match k8s_client
.get_resource::<Issuer>(&issuer_name, Some(&ns))
.await
{
Ok(Some(_cert_issuer)) => Ok(Outcome::success(format!(
"issuer of kind {} is ready",
issuer_name
))),
Ok(None) => Err(ExecutorError::UnexpectedError(format!(
"Issuer {} not present in namespace {}",
issuer_name, ns
))),
Err(e) => Err(ExecutorError::UnexpectedError(format!(
"Failed to fetch Issuer {}: {}",
issuer_name, e
))),
}
}
fn extract_and_normalize_token(&self, secret: &DynamicObject) -> Option<String> {
@@ -455,6 +604,16 @@ impl K8sAnywhereTopology {
Some(cleaned)
}
pub async fn get_k8s_distribution(&self) -> Result<KubernetesDistribution, PreparationError> {
self.k8s_client()
.await?
.get_k8s_distribution()
.await
.map_err(|e| {
PreparationError::new(format!("Failed to get k8s distribution from client : {e}"))
})
}
pub fn build_cluster_rolebinding(
&self,
service_account_name: &str,
@@ -1089,6 +1248,12 @@ impl Topology for K8sAnywhereTopology {
.await
.map_err(PreparationError::new)?;
let cert_mgmt = CertificateManagementScore {};
cert_mgmt
.interpret(&Inventory::empty(), self)
.await
.map_err(|e| PreparationError::new(format!("{}", e)))?;
match self.is_helm_available() {
Ok(()) => Ok(PreparationOutcome::Success {
details: format!("{} + helm available", k8s_state.message.clone()),
@@ -1112,7 +1277,21 @@ impl MultiTargetTopology for K8sAnywhereTopology {
}
}
impl HelmCommand for K8sAnywhereTopology {}
impl HelmCommand for K8sAnywhereTopology {
fn get_helm_command(&self) -> Command {
let mut cmd = Command::new("helm");
if let Some(k) = &self.config.kubeconfig {
cmd.args(["--kubeconfig", k]);
}
if let Some(c) = &self.config.k8s_context {
cmd.args(["--kube-context", c]);
}
info!("Using helm command {cmd:?}");
cmd
}
}
#[async_trait]
impl TenantManager for K8sAnywhereTopology {
@@ -1133,7 +1312,7 @@ impl TenantManager for K8sAnywhereTopology {
#[async_trait]
impl Ingress for K8sAnywhereTopology {
async fn get_domain(&self, service: &str) -> Result<String, PreparationError> {
use log::{debug, trace, warn};
use log::{trace, warn};
let client = self.k8s_client().await?;

1
harmony/src/domain/topology/k8s_anywhere/mod.rs
View File

@@ -1,3 +1,4 @@
mod k8s_anywhere;
pub mod nats;
mod postgres;
pub use k8s_anywhere::*;

38
harmony/src/domain/topology/k8s_anywhere/nats.rs Normal file
View File

@@ -0,0 +1,38 @@
use async_trait::async_trait;
use crate::{
inventory::Inventory,
modules::nats::{
capability::{Nats, NatsCluster},
score_nats_k8s::NatsK8sScore,
},
score::Score,
topology::K8sAnywhereTopology,
};
#[async_trait]
impl Nats for K8sAnywhereTopology {
async fn deploy(
&self,
nats_cluster: &NatsCluster,
peers: Option<Vec<NatsCluster>>,
ca_bundle: Option<Vec<String>>,
) -> Result<String, String> {
let distro = self.get_k8s_distribution().await.unwrap();
NatsK8sScore {
distribution: distro.clone(),
cluster: nats_cluster.clone(),
peers,
ca_bundle,
}
.interpret(&Inventory::empty(), self)
.await
.map_err(|e| format!("Failed to deploy nats cluster: {}", e))?;
Ok(format!(
"Nats cluster deployed in ns {}",
nats_cluster.namespace
))
}
}

1
harmony/src/domain/topology/load_balancer.rs
View File

@@ -1,7 +1,6 @@
use std::{net::SocketAddr, str::FromStr};
use async_trait::async_trait;
use log::debug;
use serde::Serialize;
use super::LogicalHost;

5
harmony/src/domain/topology/localhost.rs
View File

@@ -2,7 +2,7 @@ use async_trait::async_trait;
use derive_new::new;
use serde::{Deserialize, Serialize};
use super::{HelmCommand, PreparationError, PreparationOutcome, Topology};
use super::{PreparationError, PreparationOutcome, Topology};
#[derive(new, Clone, Debug, Serialize, Deserialize)]
pub struct LocalhostTopology;
@@ -19,6 +19,3 @@ impl Topology for LocalhostTopology {
})
}
}
// TODO: Delete this, temp for test
impl HelmCommand for LocalhostTopology {}

1
harmony/src/domain/topology/mod.rs
View File

@@ -1,3 +1,4 @@
pub mod decentralized;
mod failover;
mod ha_cluster;
pub mod ingress;

4
harmony/src/domain/topology/network.rs
View File

@@ -188,6 +188,10 @@ impl FromStr for DnsRecordType {
pub trait NetworkManager: Debug + Send + Sync {
async fn ensure_network_manager_installed(&self) -> Result<(), NetworkError>;
async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), NetworkError>;
async fn configure_bond_on_primary_interface(
&self,
config: &HostNetworkConfig,
) -> Result<(), NetworkError>;
}
#[derive(Debug, Clone, new)]

11
harmony/src/domain/topology/router.rs
View File

@@ -112,12 +112,13 @@ pub trait TlsRouter: Send + Sync {
/// HAProxy frontend→backend \"postgres-upstream\".
async fn install_route(&self, config: TlsRoute) -> Result<(), String>;
/// Gets the base domain that can be used to deploy applications that will be automatically
/// routed to this cluster.
/// Gets the base domain of this cluster. On openshift family clusters, this is the domain
/// used by default for all components, including the default ingress controller that
/// transforms ingress to routes.
///
/// For example, if we have *.apps.nationtech.io pointing to a public load balancer, then this
/// function would install route apps.nationtech.io
async fn get_wildcard_domain(&self) -> Result<Option<String>, String>;
/// For example, get_internal_domain on a cluster that has `console-openshift-console.apps.mycluster.something`
/// will return `apps.mycluster.something`
async fn get_internal_domain(&self) -> Result<Option<String>, String>;
/// Returns the port that this router exposes externally.
async fn get_router_port(&self) -> u16;

36
harmony/src/infra/brocade.rs
View File

@@ -5,9 +5,20 @@ use harmony_types::{
net::{IpAddress, MacAddress},
switch::{PortDeclaration, PortLocation},
};
use log::info;
use option_ext::OptionExt;
use crate::topology::{PortConfig, SwitchClient, SwitchError};
use crate::{
modules::brocade::BrocadeSwitchAuth,
topology::{PortConfig, SwitchClient, SwitchError},
};
#[derive(Debug, Clone)]
pub struct BrocadeSwitchConfig {
pub ips: Vec<IpAddress>,
pub auth: BrocadeSwitchAuth,
pub options: BrocadeOptions,
}
#[derive(Debug)]
pub struct BrocadeSwitchClient {
@@ -15,13 +26,11 @@ pub struct BrocadeSwitchClient {
}
impl BrocadeSwitchClient {
pub async fn init(
ip_addresses: &[IpAddress],
username: &str,
password: &str,
options: BrocadeOptions,
) -> Result<Self, brocade::Error> {
let brocade = brocade::init(ip_addresses, username, password, options).await?;
pub async fn init(config: BrocadeSwitchConfig) -> Result<Self, brocade::Error> {
let auth = &config.auth;
let options = &config.options;
let brocade = brocade::init(&config.ips, &auth.username, &auth.password, options).await?;
Ok(Self { brocade })
}
}
@@ -52,13 +61,18 @@ impl SwitchClient for BrocadeSwitchClient {
|| link.remote_port.contains(&interface.port_location)
})
})
.map(|interface| (interface.name.clone(), PortOperatingMode::Access))
.map(|interface| (interface.name.clone(), PortOperatingMode::Trunk))
.collect();
if interfaces.is_empty() {
return Ok(());
}
info!("About to configure interfaces {interfaces:?}");
// inquire::Confirm::new("Do you wish to configures interfaces now?")
// .prompt()
// .map_err(|e| SwitchError::new(e.to_string()))?;
self.brocade
.configure_interfaces(&interfaces)
.await
@@ -208,8 +222,8 @@ mod tests {
//TODO not sure about this
let configured_interfaces = brocade.configured_interfaces.lock().unwrap();
assert_that!(*configured_interfaces).contains_exactly(vec![
(first_interface.name.clone(), PortOperatingMode::Access),
(second_interface.name.clone(), PortOperatingMode::Access),
(first_interface.name.clone(), PortOperatingMode::Trunk),
(second_interface.name.clone(), PortOperatingMode::Trunk),
]);
}

52
harmony/src/infra/inventory/sqlite.rs
View File

@@ -1,11 +1,12 @@
use crate::{
hardware::PhysicalHost,
inventory::{HostRole, InventoryRepository, RepoError},
topology::HostConfig,
};
use async_trait::async_trait;
use harmony_types::id::Id;
use log::info;
use sqlx::{Pool, Sqlite, SqlitePool};
use sqlx::{Pool, Sqlite, SqlitePool, migrate::MigrateDatabase};
/// A thread-safe, connection-pooled repository using SQLite.
#[derive(Debug)]
@@ -15,11 +16,28 @@ pub struct SqliteInventoryRepository {
impl SqliteInventoryRepository {
pub async fn new(database_url: &str) -> Result<Self, RepoError> {
// Ensure the database file exists for SQLite
if database_url.starts_with("sqlite:") {
let path = database_url.trim_start_matches("sqlite:");
if !path.contains(":memory:") && !std::path::Path::new(path).exists() {
sqlx::any::install_default_drivers();
sqlx::Sqlite::create_database(database_url)
.await
.map_err(|e| RepoError::ConnectionFailed(e.to_string()))?;
}
}
let pool = SqlitePool::connect(database_url)
.await
.map_err(|e| RepoError::ConnectionFailed(e.to_string()))?;
info!("SQLite inventory repository initialized at '{database_url}'");
// Run migrations
sqlx::migrate!("./../migrations")
.run(&pool)
.await
.map_err(|e| RepoError::ConnectionFailed(format!("Migration failed: {}", e)))?;
info!("SQLite inventory repository initialized and migrated at '{database_url}'");
Ok(Self { pool })
}
}
@@ -90,16 +108,18 @@ impl InventoryRepository for SqliteInventoryRepository {
&self,
role: &HostRole,
host: &PhysicalHost,
installation_device: &String,
) -> Result<(), RepoError> {
let host_id = host.id.to_string();
sqlx::query!(
r#"
INSERT INTO host_role_mapping (host_id, role)
VALUES (?, ?)
INSERT INTO host_role_mapping (host_id, role, installation_device)
VALUES (?, ?, ?)
"#,
host_id,
role
role,
installation_device
)
.execute(&self.pool)
.await?;
@@ -109,16 +129,20 @@ impl InventoryRepository for SqliteInventoryRepository {
Ok(())
}
async fn get_host_for_role(&self, role: &HostRole) -> Result<Vec<PhysicalHost>, RepoError> {
async fn get_hosts_for_role(
&self,
role: &HostRole,
) -> Result<Vec<(PhysicalHost, HostConfig)>, RepoError> {
struct HostIdRow {
host_id: String,
installation_device: Option<String>,
}
let role_str = format!("{:?}", role);
let host_id_rows = sqlx::query_as!(
HostIdRow,
"SELECT host_id FROM host_role_mapping WHERE role = ?",
"SELECT host_id, installation_device FROM host_role_mapping WHERE role = ?",
role_str
)
.fetch_all(&self.pool)
@@ -126,15 +150,19 @@ impl InventoryRepository for SqliteInventoryRepository {
let mut hosts = Vec::with_capacity(host_id_rows.len());
for row in host_id_rows {
match self.get_latest_by_id(&row.host_id).await? {
Some(host) => hosts.push(host),
let physical_host = match self.get_latest_by_id(&row.host_id).await? {
Some(host) => host,
None => {
log::warn!(
return Err(RepoError::QueryFailed(format!(
"Found a role mapping for host_id '{}', but the host does not exist in the physical_hosts table. This may indicate a data integrity issue.",
row.host_id
);
)));
}
}
};
let host_config = HostConfig {
installation_device: row.installation_device,
};
hosts.push((physical_host, host_config));
}
Ok(hosts)

270
harmony/src/infra/network_manager.rs
View File

@@ -3,6 +3,7 @@ use std::{
sync::Arc,
};
use askama::Template;
use async_trait::async_trait;
use harmony_types::id::Id;
use k8s_openapi::api::core::v1::Node;
@@ -10,13 +11,71 @@ use kube::{
ResourceExt,
api::{ObjectList, ObjectMeta},
};
use log::{debug, info};
use log::{debug, info, warn};
use crate::{
modules::okd::crd::nmstate,
topology::{HostNetworkConfig, NetworkError, NetworkManager, k8s::K8sClient},
topology::{
HostNetworkConfig, NetworkError, NetworkManager,
k8s::{DrainOptions, K8sClient, NodeFile},
},
};
/// NetworkManager bond configuration template
#[derive(Template)]
#[template(
source = r#"[connection]
id={{ bond_name }}
uuid={{ bond_uuid }}
type=bond
autoconnect-slaves=1
interface-name={{ bond_name }}
[bond]
lacp_rate=fast
mode=802.3ad
xmit_hash_policy=layer2
[ipv4]
method=auto
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
"#,
ext = "txt"
)]
struct BondConfigTemplate {
bond_name: String,
bond_uuid: String,
}
/// NetworkManager bond slave configuration template
#[derive(Template)]
#[template(
source = r#"[connection]
id={{ slave_id }}
uuid={{ slave_uuid }}
type=ethernet
interface-name={{ interface_name }}
master={{ bond_name }}
slave-type=bond
[ethernet]
[bond-port]
"#,
ext = "txt"
)]
struct BondSlaveConfigTemplate {
slave_id: String,
slave_uuid: String,
interface_name: String,
bond_name: String,
}
/// TODO document properly the non-intuitive behavior or "roll forward only" of nmstate in general
/// It is documented in nmstate official doc, but worth mentionning here :
///
@@ -87,6 +146,117 @@ impl NetworkManager for OpenShiftNmStateNetworkManager {
Ok(())
}
/// Configures bonding on the primary network interface of a node.
///
/// Changing the *primary* network interface (making it a bond
/// slave) will disrupt node connectivity mid-change, so the
/// procedure is:
///
/// 1. Generate NetworkManager .nmconnection files
/// 2. Drain the node (includes cordon)
/// 3. Write configuration files to `/etc/NetworkManager/system-connections/`
/// 4. Attempt to reload NetworkManager (optional, best-effort)
/// 5. Reboot the node with full verification (drain, boot_id check, uncordon)
///
/// The reboot procedure includes:
/// - Recording boot_id before reboot
/// - Fire-and-forget reboot command
/// - Waiting for NotReady status
/// - Waiting for Ready status
/// - Verifying boot_id changed
/// - Uncordoning the node
///
/// See ADR-019 for context and rationale.
async fn configure_bond_on_primary_interface(
&self,
config: &HostNetworkConfig,
) -> Result<(), NetworkError> {
use std::time::Duration;
let node_name = self.get_node_name_for_id(&config.host_id).await?;
let hostname = self.get_hostname(&config.host_id).await?;
info!(
"Configuring bond on primary interface for host '{}' (node '{}')",
config.host_id, node_name
);
// 1. Generate .nmconnection files
let files = self.generate_nmconnection_files(&hostname, config)?;
debug!(
"Generated {} NetworkManager configuration files",
files.len()
);
// 2. Write configuration files to the node (before draining)
// We do this while the node is still running for faster operation
info!(
"Writing NetworkManager configuration files to node '{}'...",
node_name
);
self.k8s_client
.write_files_to_node(&node_name, &files)
.await
.map_err(|e| {
NetworkError::new(format!(
"Failed to write configuration files to node '{}': {}",
node_name, e
))
})?;
// 3. Reload NetworkManager configuration (best-effort)
// This won't activate the bond yet since the primary interface would lose connectivity,
// but it validates the configuration files are correct
info!(
"Reloading NetworkManager configuration on node '{}'...",
node_name
);
match self
.k8s_client
.run_privileged_command_on_node(&node_name, "chroot /host nmcli connection reload")
.await
{
Ok(output) => {
debug!("NetworkManager reload output: {}", output.trim());
}
Err(e) => {
warn!(
"Failed to reload NetworkManager configuration: {}. Proceeding with reboot.",
e
);
// Don't fail here - reboot will pick up the config anyway
}
}
// 4. Reboot the node with full verification
// The reboot_node function handles: drain, boot_id capture, reboot, NotReady wait,
// Ready wait, boot_id verification, and uncordon
// 60 minutes timeout for bare-metal environments (drain can take 20-30 mins)
let reboot_timeout = Duration::from_secs(3600);
info!(
"Rebooting node '{}' to apply network configuration (timeout: {:?})...",
node_name, reboot_timeout
);
self.k8s_client
.reboot_node(
&node_name,
&DrainOptions::default_ignore_daemonset_delete_emptydir_data(),
reboot_timeout,
)
.await
.map_err(|e| {
NetworkError::new(format!("Failed to reboot node '{}': {}", node_name, e))
})?;
info!(
"Successfully configured bond on primary interface for host '{}' (node '{}')",
config.host_id, node_name
);
Ok(())
}
async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), NetworkError> {
let hostname = self.get_hostname(&config.host_id).await.map_err(|e| {
NetworkError::new(format!(
@@ -208,14 +378,14 @@ impl OpenShiftNmStateNetworkManager {
}
}
async fn get_hostname(&self, host_id: &Id) -> Result<String, String> {
async fn get_node_for_id(&self, host_id: &Id) -> Result<Node, String> {
let nodes: ObjectList<Node> = self
.k8s_client
.list_resources(None, None)
.await
.map_err(|e| format!("Failed to list nodes: {e}"))?;
let Some(node) = nodes.iter().find(|n| {
let Some(node) = nodes.into_iter().find(|n| {
n.status
.as_ref()
.and_then(|s| s.node_info.as_ref())
@@ -225,6 +395,20 @@ impl OpenShiftNmStateNetworkManager {
return Err(format!("No node found for host '{host_id}'"));
};
Ok(node)
}
async fn get_node_name_for_id(&self, host_id: &Id) -> Result<String, String> {
let node = self.get_node_for_id(host_id).await?;
node.metadata.name.ok_or(format!(
"A node should always have a name, node for host_id {host_id} has no name"
))
}
async fn get_hostname(&self, host_id: &Id) -> Result<String, String> {
let node = self.get_node_for_id(host_id).await?;
node.labels()
.get("kubernetes.io/hostname")
.ok_or(format!(
@@ -261,4 +445,82 @@ impl OpenShiftNmStateNetworkManager {
let next_id = (0..).find(|id| !used_ids.contains(id)).unwrap();
Ok(format!("bond{next_id}"))
}
/// Generates NetworkManager .nmconnection files for bonding configuration.
///
/// Creates:
/// - One bond master configuration file (bond0.nmconnection)
/// - One slave configuration file per interface (bond0-<iface>.nmconnection)
///
/// All files are placed in `/etc/NetworkManager/system-connections/` with
/// mode 0o600 (required by NetworkManager).
fn generate_nmconnection_files(
&self,
hostname: &str,
config: &HostNetworkConfig,
) -> Result<Vec<NodeFile>, NetworkError> {
let mut files = Vec::new();
let bond_name = "bond0";
let bond_uuid = uuid::Uuid::new_v4().to_string();
// Generate bond master configuration
let bond_template = BondConfigTemplate {
bond_name: bond_name.to_string(),
bond_uuid: bond_uuid.clone(),
};
let bond_content = bond_template.render().map_err(|e| {
NetworkError::new(format!(
"Failed to render bond configuration template: {}",
e
))
})?;
files.push(NodeFile {
path: format!(
"/etc/NetworkManager/system-connections/{}.nmconnection",
bond_name
),
content: bond_content,
mode: 0o600,
});
// Generate slave configurations for each interface
for switch_port in &config.switch_ports {
let interface_name = &switch_port.interface.name;
let slave_id = format!("{}-{}", bond_name, interface_name);
let slave_uuid = uuid::Uuid::new_v4().to_string();
let slave_template = BondSlaveConfigTemplate {
slave_id: slave_id.clone(),
slave_uuid,
interface_name: interface_name.clone(),
bond_name: bond_name.to_string(),
};
let slave_content = slave_template.render().map_err(|e| {
NetworkError::new(format!(
"Failed to render slave configuration template for interface '{}': {}",
interface_name, e
))
})?;
files.push(NodeFile {
path: format!(
"/etc/NetworkManager/system-connections/{}.nmconnection",
slave_id
),
content: slave_content,
mode: 0o600,
});
}
debug!(
"Generated {} NetworkManager configuration files for host '{}'",
files.len(),
hostname
);
Ok(files)
}
}

801
harmony/src/modules/application/backend_app.rs Normal file
View File

@@ -0,0 +1,801 @@
use async_trait::async_trait;
use log::{debug, info, trace};
use serde::Serialize;
use std::path::PathBuf;
use crate::{
config::{REGISTRY_PROJECT, REGISTRY_URL},
modules::application::{
Application, HelmPackage, OCICompliant,
config::ApplicationNetworkPort,
helm::{self, DeploymentBuilder, HelmChart, HelmResourceKind},
},
};
use harmony_execution::{RunnerOptions, run_command};
#[derive(Debug, Clone, Serialize)]
pub struct BuildCommand {
pub program: String,
pub args: Vec<String>,
}
impl BuildCommand {
pub fn new(program: impl Into<String>, args: Vec<impl Into<String>>) -> Self {
Self {
program: program.into(),
args: args.into_iter().map(|s| s.into()).collect(),
}
}
pub fn to_std_command(&self) -> std::process::Command {
let mut cmd = std::process::Command::new(&self.program);
cmd.args(&self.args);
cmd
}
}
#[derive(Debug, Clone, Serialize)]
pub struct BackendApp {
pub name: String,
pub project_root: std::path::PathBuf,
pub network_ports: Vec<ApplicationNetworkPort>,
pub env_vars: Vec<(String, String)>,
pub build_cmd: BuildCommand,
pub dockerfile: Option<PathBuf>,
}
impl BackendApp {
fn get_dockerfile(&self) -> Result<PathBuf, String> {
debug!(
"Looking for dockerfile, currently set to {:?}",
self.dockerfile
);
if let Some(dockerfile) = &self.dockerfile {
return match dockerfile.exists() {
true => {
info!(
"Found dockerfile as intended at {}",
dockerfile.to_string_lossy()
);
Ok(dockerfile.clone())
}
false => Err(format!(
"Dockerfile explicitely set to {dockerfile} does not exist",
dockerfile = dockerfile.to_string_lossy()
)),
};
}
let existing_dockerfile = self.project_root.join("Dockerfile");
debug!("project_root = {:?}", self.project_root);
debug!("checking = {:?}", existing_dockerfile);
if existing_dockerfile.exists() {
debug!(
"Checking path {:#?} for existing Dockerfile",
self.project_root.clone()
);
return Ok(existing_dockerfile);
}
Err(format!(
"Could not find a dockerfile in {project_root} folder. Tried {existing_dockerfile}",
project_root = self.project_root.to_string_lossy(),
existing_dockerfile = existing_dockerfile.to_string_lossy(),
))
}
}
impl Application for BackendApp {
fn name(&self) -> String {
self.name.clone()
}
}
#[async_trait]
impl OCICompliant for BackendApp {
async fn build_push_oci_image(&self) -> Result<String, String> {
let dockerfile = self.get_dockerfile()?;
let image_tag = self.image_name();
// Run docker build command, streaming output to console and capturing it
let output = run_command(
std::process::Command::new("docker").args([
"build",
"-t",
&image_tag,
"-f",
&dockerfile.to_string_lossy(),
&self.project_root.to_string_lossy(),
]),
RunnerOptions::print_to_console(),
)
.map_err(|e| format!("Failed to spawn docker build process: {}", e))?;
if output.is_success() {
info!("Docker image build succeeded");
Ok(image_tag)
} else {
Err(format!(
"Docker image build FAILED:\n{}",
output.format_output()
))
}
}
fn local_image_name(&self) -> String {
self.name.clone()
}
fn image_name(&self) -> String {
format!(
"{}/{}/{}",
*REGISTRY_URL,
*REGISTRY_PROJECT,
&self.local_image_name()
)
}
}
#[async_trait]
impl HelmPackage for BackendApp {
fn project_root(&self) -> PathBuf {
self.project_root.clone()
}
fn chart_name(&self) -> String {
self.name.clone()
}
async fn build_push_helm_package(&self, image_url: &str) -> Result<String, String> {
let mut helm_chart = HelmChart::new(self.name.clone(), "1.0.0".to_string());
// Build the typed Deployment object using the builder with initial options
helm_chart.add_resource(HelmResourceKind::Deployment(
DeploymentBuilder::with_options(
&self.name,
image_url,
Some(self.network_ports.clone()),
Some(self.env_vars.clone()),
None,
)
.build(),
));
// Build the typed Service object using the helper function
if let Some(service) =
helm::create_service_from_ports(self.name.clone(), &self.network_ports)
{
helm_chart.add_resource(HelmResourceKind::Service(service));
}
// Write the Helm chart metadata to the project root
let chart_dir = helm_chart
.write_to(&self.project_root.join(".harmony_generated/helm/"))
.map_err(|e| format!("Failed to write Helm chart: {}", e))?;
info!("Helm chart for '{}' written to: {:?}", self.name, chart_dir);
Ok(chart_dir.to_string_lossy().to_string())
}
}
#[cfg(test)]
mod tests {
use super::*;
use crate::modules::application::config::ApplicationNetworkPort;
use crate::modules::application::config::NetworkProtocol;
use k8s_openapi::api::apps::v1::Deployment;
use k8s_openapi::api::core::v1::{Container, EnvVar, Service as K8sService, ServicePort};
use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString;
use serde_yaml::from_str;
use std::fs;
use std::path::Path;
use tempfile::tempdir;
// Test Helpers
fn read_service_yaml(project_root: &Path, chart_name: &str) -> K8sService {
let path = project_root.join(format!(
".harmony_generated/helm/{chart_name}/templates/service.yaml"
));
let content = fs::read_to_string(&path)
.unwrap_or_else(|e| panic!("Failed to read service.yaml at {:?}: {}", path, e));
from_str(&content)
.unwrap_or_else(|e| panic!("Failed to parse service.yaml as K8s Service: {}", e))
}
fn read_deployment_yaml(project_root: &Path, chart_name: &str) -> Deployment {
let path = project_root.join(format!(
".harmony_generated/helm/{chart_name}/templates/deployment.yaml"
));
let content = fs::read_to_string(&path)
.unwrap_or_else(|e| panic!("Failed to read deployment.yaml at {:?}: {}", path, e));
from_str(&content)
.unwrap_or_else(|e| panic!("Failed to parse deployment.yaml as K8s Deployment: {}", e))
}
fn service_yaml_exists(project_root: &Path, chart_name: &str) -> bool {
let path = project_root.join(format!(
".harmony_generated/helm/{chart_name}/templates/service.yaml"
));
path.exists()
}
// Service Assertions
fn assert_service_metadata(service: &K8sService, expected_name: &str) {
assert_eq!(
service.metadata.name.as_deref(),
Some(expected_name),
"Service name should be '{expected_name}'"
);
}
fn assert_service_type(service: &K8sService, expected_type: &str) {
assert_eq!(
service.spec.as_ref().and_then(|s| s.type_.as_deref()),
Some(expected_type),
"Service type should be '{expected_type}'"
);
}
fn assert_service_port_count(service: &K8sService, expected_count: usize) {
let ports = service
.spec
.as_ref()
.and_then(|s| s.ports.as_ref())
.unwrap_or_else(|| panic!("Service should have ports"));
assert_eq!(
ports.len(),
expected_count,
"Service should have {expected_count} ports"
);
}
fn assert_service_port(
port: &ServicePort,
expected_name: &str,
expected_protocol: &str,
expected_number: i32,
) {
assert_eq!(
port.name.as_deref(),
Some(expected_name),
"Port name should be '{expected_name}'"
);
assert_eq!(
port.protocol.as_deref(),
Some(expected_protocol),
"Port '{expected_name}' protocol should be '{expected_protocol}'"
);
assert_eq!(
port.port, expected_number,
"Port '{expected_name}' number should be {expected_number}"
);
}
fn assert_target_port_matches_service_port(port: &ServicePort) {
match &port.target_port {
Some(IntOrString::Int(target)) => {
assert_eq!(
*target,
port.port,
"Target port should match service port for '{}'",
port.name.as_deref().unwrap_or("unknown")
);
}
_ => panic!(
"Target port should be Int for '{}'",
port.name.as_deref().unwrap_or("unknown")
),
}
}
// Deployment Assertions
fn assert_deployment_metadata(deployment: &Deployment, expected_name: &str) {
assert_eq!(
deployment.metadata.name.as_deref(),
Some(expected_name),
"Deployment name should be '{expected_name}'"
);
}
fn assert_deployment_replicas(deployment: &Deployment, expected_replicas: i32) {
let spec = deployment
.spec
.as_ref()
.unwrap_or_else(|| panic!("Deployment should have spec"));
assert_eq!(
spec.replicas,
Some(expected_replicas),
"Deployment should have {expected_replicas} replicas"
);
}
fn assert_selector_match_label(deployment: &Deployment, expected_label_value: &str) {
let spec = deployment
.spec
.as_ref()
.unwrap_or_else(|| panic!("Deployment should have spec"));
assert_eq!(
spec.selector
.match_labels
.as_ref()
.and_then(|m| m.get("app.kubernetes.io/name")),
Some(&expected_label_value.to_string()),
"Selector should match app name '{expected_label_value}'"
);
}
fn assert_pod_labels(deployment: &Deployment, expected_name: &str) {
let spec = deployment
.spec
.as_ref()
.unwrap_or_else(|| panic!("Deployment should have spec"));
let metadata = spec
.template
.metadata
.as_ref()
.unwrap_or_else(|| panic!("Pod template should have metadata"));
let labels = metadata
.labels
.as_ref()
.unwrap_or_else(|| panic!("Pod should have labels"));
assert_eq!(
labels.get("app.kubernetes.io/name"),
Some(&expected_name.to_string()),
"Pod label app.kubernetes.io/name should be '{expected_name}'"
);
assert_eq!(
labels.get("app.kubernetes.io/instance"),
Some(&expected_name.to_string()),
"Pod label app.kubernetes.io/instance should be '{expected_name}'"
);
}
// Container Assertions
fn assert_container_metadata(
container: &Container,
expected_name: &str,
expected_image: &str,
expected_pull_policy: &str,
) {
assert_eq!(
container.name, expected_name,
"Container name should be '{expected_name}'"
);
assert_eq!(
container.image.as_deref(),
Some(expected_image),
"Container image should be '{expected_image}'"
);
assert_eq!(
container.image_pull_policy.as_deref(),
Some(expected_pull_policy),
"Image pull policy should be '{expected_pull_policy}'"
);
}
fn assert_container_ports_count(container: &Container, expected_count: usize) {
let ports = container
.ports
.as_ref()
.unwrap_or_else(|| panic!("Container should have ports"));
assert_eq!(
ports.len(),
expected_count,
"Container should have {expected_count} ports"
);
}
fn assert_container_port(
port: &k8s_openapi::api::core::v1::ContainerPort,
expected_name: &str,
expected_protocol: &str,
expected_number: i32,
) {
assert_eq!(
port.name.as_deref(),
Some(expected_name),
"Container port name should be '{expected_name}'"
);
assert_eq!(
port.protocol.as_deref(),
Some(expected_protocol),
"Container port '{expected_name}' protocol should be '{expected_protocol}'"
);
assert_eq!(
port.container_port, expected_number,
"Container port '{expected_name}' number should be {expected_number}"
);
}
fn assert_container_env_vars_count(container: &Container, expected_count: usize) {
let env_vars = container
.env
.as_ref()
.unwrap_or_else(|| panic!("Container should have env vars"));
assert_eq!(
env_vars.len(),
expected_count,
"Container should have {expected_count} env vars"
);
}
fn assert_container_env_var(env_var: &EnvVar, expected_name: &str, expected_value: &str) {
assert_eq!(
env_var.name, expected_name,
"Env var name should be '{expected_name}'"
);
assert_eq!(
env_var.value.as_deref(),
Some(expected_value),
"Env var '{expected_name}' value should be '{expected_value}'"
);
}
fn get_container(deployment: &Deployment) -> Container {
let spec = deployment
.spec
.as_ref()
.unwrap_or_else(|| panic!("Deployment should have spec"));
let pod_spec = spec
.template
.spec
.as_ref()
.unwrap_or_else(|| panic!("Pod template should have spec"));
pod_spec
.containers
.first()
.unwrap_or_else(|| panic!("Should have exactly one container"))
.clone()
}
// Test Fixtures
fn standard_test_ports() -> Vec<ApplicationNetworkPort> {
vec![
ApplicationNetworkPort {
number: 8080,
protocol: NetworkProtocol::TCP,
name: "http".to_string(),
},
ApplicationNetworkPort {
number: 9000,
protocol: NetworkProtocol::TCP,
name: "metrics".to_string(),
},
ApplicationNetworkPort {
number: 50051,
protocol: NetworkProtocol::TCP,
name: "grpc".to_string(),
},
]
}
fn standard_test_env_vars() -> Vec<(String, String)> {
vec![
("ENV_VAR_1".to_string(), "value1".to_string()),
("ENV_VAR_2".to_string(), "value2".to_string()),
]
}
fn udp_test_ports() -> Vec<ApplicationNetworkPort> {
vec![
ApplicationNetworkPort {
number: 53,
protocol: NetworkProtocol::UDP,
name: "dns".to_string(),
},
ApplicationNetworkPort {
number: 8080,
protocol: NetworkProtocol::TCP,
name: "http".to_string(),
},
]
}
// Test Builder
struct BackendAppTestBuilder {
name: Option<String>,
network_ports: Option<Vec<ApplicationNetworkPort>>,
env_vars: Option<Vec<(String, String)>>,
}
impl BackendAppTestBuilder {
fn new() -> Self {
Self {
name: None,
network_ports: None,
env_vars: None,
}
}
fn with_name(mut self, name: impl Into<String>) -> Self {
self.name = Some(name.into());
self
}
fn with_standard_ports(mut self) -> Self {
self.network_ports = Some(standard_test_ports());
self
}
fn with_udp_ports(mut self) -> Self {
self.network_ports = Some(udp_test_ports());
self
}
fn with_standard_env_vars(mut self) -> Self {
self.env_vars = Some(standard_test_env_vars());
self
}
fn with_no_ports(mut self) -> Self {
self.network_ports = Some(vec![]);
self
}
fn build(self, project_root: PathBuf) -> BackendApp {
BackendApp {
name: self.name.unwrap_or_else(|| "test-app".to_string()),
project_root,
network_ports: self.network_ports.unwrap_or_default(),
env_vars: self.env_vars.unwrap_or_default(),
build_cmd: BuildCommand::new("cargo", vec!["build"]),
dockerfile: None,
}
}
}
impl Default for BackendAppTestBuilder {
fn default() -> Self {
Self::new()
}
}
// Helper function for test setup
async fn build_helm_chart_for_test(app: &BackendApp, image_url: &str) {
let result = app.build_push_helm_package(image_url).await;
assert!(
result.is_ok(),
"build_push_helm_package should succeed: {:?}",
result
);
}
// ===== SERVICE TESTS =====
#[tokio::test]
async fn service_is_created_with_application_name() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let service = read_service_yaml(&app.project_root, "test-app");
assert_service_metadata(&service, "test-app");
}
#[tokio::test]
async fn service_has_default_clusterip_type() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let service = read_service_yaml(&app.project_root, "test-app");
assert_service_type(&service, "ClusterIP");
}
#[tokio::test]
async fn service_exposes_all_network_ports() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let service = read_service_yaml(&app.project_root, "test-app");
assert_service_port_count(&service, 3);
let ports = service.spec.unwrap().ports.unwrap();
assert_service_port(&ports[0], "http", "TCP", 8080);
assert_service_port(&ports[1], "metrics", "TCP", 9000);
assert_service_port(&ports[2], "grpc", "TCP", 50051);
}
#[tokio::test]
async fn service_target_ports_match_service_ports() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let service = read_service_yaml(&app.project_root, "test-app");
let ports = service.spec.unwrap().ports.unwrap();
for port in &ports {
assert_target_port_matches_service_port(port);
}
}
#[tokio::test]
async fn service_not_created_when_application_has_no_ports() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app-no-ports")
.with_no_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app-no-ports:1.0.0").await;
assert!(
!service_yaml_exists(&app.project_root, "test-app-no-ports"),
"service.yaml should not exist when there are no network ports"
);
}
#[tokio::test]
async fn service_respects_port_protocol_type() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("udp-app")
.with_udp_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/udp-app:1.0.0").await;
let service = read_service_yaml(&app.project_root, "udp-app");
let ports = service.spec.unwrap().ports.unwrap();
assert_service_port(&ports[0], "dns", "UDP", 53);
assert_service_port(&ports[1], "http", "TCP", 8080);
}
// ===== DEPLOYMENT METADATA TESTS =====
#[tokio::test]
async fn deployment_has_application_name() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let deployment = read_deployment_yaml(&app.project_root, "test-app");
assert_deployment_metadata(&deployment, "test-app");
}
#[tokio::test]
async fn deployment_has_single_replica_by_default() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let deployment = read_deployment_yaml(&app.project_root, "test-app");
assert_deployment_replicas(&deployment, 1);
}
#[tokio::test]
async fn deployment_selector_matches_application_name() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let deployment = read_deployment_yaml(&app.project_root, "test-app");
assert_selector_match_label(&deployment, "test-app");
}
#[tokio::test]
async fn pod_has_standard_kubernetes_labels() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let deployment = read_deployment_yaml(&app.project_root, "test-app");
assert_pod_labels(&deployment, "test-app");
}
// ===== CONTAINER CONFIGURATION TESTS =====
#[tokio::test]
async fn container_has_correct_name_and_image() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
let image_url = "registry.example.com/test/test-app:1.0.0";
build_helm_chart_for_test(&app, image_url).await;
let deployment = read_deployment_yaml(&app.project_root, "test-app");
let container = get_container(&deployment);
assert_container_metadata(&container, "test-app", image_url, "IfNotPresent");
}
#[tokio::test]
async fn container_exposes_all_application_ports() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let deployment = read_deployment_yaml(&app.project_root, "test-app");
let container = get_container(&deployment);
assert_container_ports_count(&container, 3);
let ports = container.ports.unwrap();
assert_container_port(&ports[0], "http", "TCP", 8080);
assert_container_port(&ports[1], "metrics", "TCP", 9000);
assert_container_port(&ports[2], "grpc", "TCP", 50051);
}
#[tokio::test]
async fn container_has_all_environment_variables() {
let temp_dir = tempdir().expect("Failed to create temp directory");
let app = BackendAppTestBuilder::new()
.with_name("test-app")
.with_standard_ports()
.with_standard_env_vars()
.build(temp_dir.path().to_path_buf());
build_helm_chart_for_test(&app, "registry.example.com/test/test-app:1.0.0").await;
let deployment = read_deployment_yaml(&app.project_root, "test-app");
let container = get_container(&deployment);
assert_container_env_vars_count(&container, 2);
let env_vars = container.env.unwrap();
assert_container_env_var(&env_vars[0], "ENV_VAR_1", "value1");
assert_container_env_var(&env_vars[1], "ENV_VAR_2", "value2");
}
// ===== BUILD COMMAND UNIT TESTS =====
#[test]
fn build_command_creation_sets_program_and_args() {
let cmd = BuildCommand::new("docker", vec!["build", "-t", "myimage"]);
assert_eq!(cmd.program, "docker");
assert_eq!(cmd.args, vec!["build", "-t", "myimage"]);
}
#[test]
fn build_command_clone_copies_all_fields() {
let cmd1 = BuildCommand::new("cargo", vec!["build", "--release"]);
let cmd2 = cmd1.clone();
assert_eq!(cmd1.program, cmd2.program);
assert_eq!(cmd1.args, cmd2.args);
}
}

29
harmony/src/modules/application/config.rs Normal file
View File

@@ -0,0 +1,29 @@
use serde::Serialize;
#[derive(Debug, Clone, Serialize)]
pub enum NetworkProtocol {
TCP,
UDP,
}
impl NetworkProtocol {
pub fn as_str(&self) -> &str {
match self {
NetworkProtocol::TCP => "TCP",
NetworkProtocol::UDP => "UDP",
}
}
}
impl std::fmt::Display for NetworkProtocol {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.write_str(self.as_str())
}
}
#[derive(Debug, Clone, Serialize)]
pub struct ApplicationNetworkPort {
pub number: u16,
pub protocol: NetworkProtocol,
pub name: String,
}

3
harmony/src/modules/application/features/monitoring.rs
View File

@@ -28,6 +28,7 @@ use harmony_secret_derive::Secret;
use harmony_types::net::Url;
use kube::api::ObjectMeta;
use log::{debug, info};
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use std::sync::Arc;
@@ -132,7 +133,7 @@ impl<
}
}
#[derive(Secret, Serialize, Deserialize, Clone, Debug)]
#[derive(Secret, Serialize, Deserialize, JsonSchema, Clone, Debug)]
struct NtfyAuth {
username: String,
password: String,

24
harmony/src/modules/application/features/packaging_deployment.rs
View File

@@ -48,11 +48,11 @@ use crate::{
/// - ArgoCD to install/upgrade/rollback/inspect k8s resources
/// - Kubernetes for runtime orchestration
#[derive(Debug, Default, Clone)]
pub struct PackagingDeployment<A: OCICompliant + HelmPackage + Webapp> {
pub struct PackagingDeployment<A: OCICompliant + HelmPackage> {
pub application: Arc<A>,
}
impl<A: OCICompliant + HelmPackage + Webapp> PackagingDeployment<A> {
impl<A: OCICompliant + HelmPackage> PackagingDeployment<A> {
async fn deploy_to_local_k3d(
&self,
app_name: String,
@@ -138,7 +138,7 @@ impl<A: OCICompliant + HelmPackage + Webapp> PackagingDeployment<A> {
#[async_trait]
impl<
A: OCICompliant + HelmPackage + Webapp + Clone + 'static,
A: OCICompliant + HelmPackage + Clone + 'static,
T: Topology + HelmCommand + MultiTargetTopology + K8sclient + Ingress + 'static,
> ApplicationFeature<T> for PackagingDeployment<A>
{
@@ -148,24 +148,12 @@ impl<
) -> Result<InstallationOutcome, InstallationError> {
let image = self.application.image_name();
let domain = if topology.current_target() == DeploymentTarget::Production {
self.application.dns()
} else {
topology
.get_domain(&self.application.name())
.await
.map_err(|e| e.to_string())?
};
// TODO Write CI/CD workflow files
// we can autotedect the CI type using the remote url (default to github action for github
// url, etc..)
// Or ask for it when unknown
let helm_chart = self
.application
.build_push_helm_package(&image, &domain)
.await?;
let helm_chart = self.application.build_push_helm_package(&image).await?;
// TODO: Make building image configurable/skippable if image already exists (prompt)")
// https://git.nationtech.io/NationTech/harmony/issues/104
@@ -215,12 +203,12 @@ impl<
};
Ok(InstallationOutcome::success_with_details(vec![format!(
"{}: http://{domain}",
"{}",
self.application.name()
)]))
}
fn name(&self) -> String {
"ContinuousDelivery".to_string()
"PackagingDeployment".to_string()
}
}

446
harmony/src/modules/application/helm/mod.rs Normal file
View File

@@ -0,0 +1,446 @@
// Re-export common Kubernetes types for convenience
pub use k8s_openapi::api::{
apps::v1::{Deployment, DeploymentSpec},
core::v1::{
Container, ContainerPort, EnvVar, PodSpec, PodTemplateSpec, Service as K8sService,
ServicePort, ServiceSpec,
},
};
use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString;
use kube::core::ObjectMeta;
// Import domain types for the deployment builder
use crate::modules::application::config::{ApplicationNetworkPort, NetworkProtocol};
use std::fs;
use std::path::{Path, PathBuf};
/// Enum representing all supported Kubernetes resource types for Helm charts.
/// Supports built-in typed resources and custom CRDs via YAML strings.
pub enum HelmResourceKind {
/// Built-in typed Service resource
Service(K8sService),
/// Built-in typed Deployment resource
Deployment(Deployment),
/// Custom resource as pre-serialized YAML (e.g., CRDs, custom types)
CustomYaml { filename: String, content: String },
// Can add more typed variants as needed: ConfigMap, Secret, Ingress, etc.
}
impl HelmResourceKind {
pub fn filename(&self) -> String {
match self {
HelmResourceKind::Service(_) => "service.yaml".to_string(),
HelmResourceKind::Deployment(_) => "deployment.yaml".to_string(),
HelmResourceKind::CustomYaml { filename, .. } => filename.clone(),
}
}
pub fn serialize_to_yaml(&self) -> Result<String, serde_yaml::Error> {
match self {
HelmResourceKind::Service(s) => serde_yaml::to_string(s),
HelmResourceKind::Deployment(d) => serde_yaml::to_string(d),
HelmResourceKind::CustomYaml { content, .. } => Ok(content.clone()),
}
}
pub fn as_service(&self) -> Option<&K8sService> {
match self {
HelmResourceKind::Service(s) => Some(s),
_ => None,
}
}
pub fn as_deployment(&self) -> Option<&Deployment> {
match self {
HelmResourceKind::Deployment(d) => Some(d),
_ => None,
}
}
/// Add a custom resource from any serializable type (e.g., CRDs, custom types)
pub fn from_yaml(filename: impl Into<String>, content: impl Into<String>) -> Self {
HelmResourceKind::CustomYaml {
filename: filename.into(),
content: content.into(),
}
}
/// Add a custom resource from any type that implements Serialize
pub fn from_serializable<T: serde::Serialize>(
filename: impl Into<String>,
resource: &T,
) -> Result<Self, serde_yaml::Error> {
Ok(HelmResourceKind::CustomYaml {
filename: filename.into(),
content: serde_yaml::to_string(resource)?,
})
}
}
/// The main orchestrator for building a Helm chart.
pub struct HelmChart {
pub name: String,
pub version: String,
pub app_version: String,
pub description: String,
pub resources: Vec<HelmResourceKind>,
pub values: Vec<String>,
}
impl HelmChart {
pub fn new(name: String, app_version: String) -> Self {
Self {
name: name.clone(),
version: "0.1.0".to_string(),
app_version,
description: format!("A Helm chart for {}", name),
resources: Vec::new(),
values: Vec::new(),
}
}
pub fn add_resource(&mut self, resource: HelmResourceKind) {
self.resources.push(resource);
}
pub fn add_value(&mut self, key: &str, value: &str) {
self.values.push(format!("{}: {}", key, value));
}
pub fn write_to(&self, base_path: &Path) -> Result<PathBuf, Box<dyn std::error::Error>> {
let chart_dir = base_path.join(&self.name);
let templates_dir = chart_dir.join("templates");
fs::create_dir_all(&templates_dir)?;
// 1. Render and write Chart.yaml
let chart_yaml = ChartYaml {
name: &self.name,
description: &self.description,
version: &self.version,
app_version: &self.app_version,
};
fs::write(chart_dir.join("Chart.yaml"), chart_yaml.render()?)?;
// 2. Write values.yaml (Constructed dynamically)
let values_content = self.values.join("\n");
fs::write(chart_dir.join("values.yaml"), values_content)?;
// 3. Serialize and write all added resources (Deployment, Service, etc.)
for resource in &self.resources {
let filename = resource.filename();
let content = resource
.serialize_to_yaml()
.map_err(|e| format!("Failed to serialize resource {}: {}", filename, e))?;
fs::write(templates_dir.join(filename), content)?;
}
Ok(chart_dir)
}
}
use askama::Template;
#[derive(Template)]
#[template(path = "helm/Chart.yaml.j2")]
struct ChartYaml<'a> {
name: &'a str,
description: &'a str,
version: &'a str,
app_version: &'a str,
}
/// Builder for creating a Kubernetes Service with proper labels and selectors.
pub struct ServiceBuilder {
name: String,
service_type: String,
ports: Vec<ServicePort>,
selector_label: String,
}
impl ServiceBuilder {
pub fn new(name: impl Into<String>) -> Self {
Self {
name: name.into(),
service_type: "ClusterIP".to_string(),
ports: Vec::new(),
selector_label: String::new(),
}
}
pub fn service_type(mut self, service_type: impl Into<String>) -> Self {
self.service_type = service_type.into();
self
}
pub fn with_port(
mut self,
name: impl Into<String>,
port: i32,
protocol: impl Into<String>,
) -> Self {
use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString;
self.ports.push(ServicePort {
name: Some(name.into()),
protocol: Some(protocol.into()),
port,
target_port: Some(IntOrString::Int(port)),
..Default::default()
});
self
}
pub fn selector_label(mut self, label: impl Into<String>) -> Self {
self.selector_label = label.into();
self
}
pub fn build(self) -> K8sService {
K8sService {
metadata: ObjectMeta {
name: Some(self.name.clone()),
labels: Some(
[
("app.kubernetes.io/name".to_string(), self.name.clone()),
(
"app.kubernetes.io/component".to_string(),
"service".to_string(),
),
(
"app.kubernetes.io/managed-by".to_string(),
"harmony".to_string(),
),
]
.into(),
),
..Default::default()
},
spec: Some(ServiceSpec {
type_: Some(self.service_type),
selector: Some(
[("app.kubernetes.io/name".to_string(), self.selector_label)].into(),
),
ports: if self.ports.is_empty() {
None
} else {
Some(self.ports)
},
..Default::default()
}),
..Default::default()
}
}
}
/// Builder for creating a Kubernetes Deployment with pod template and container spec.
pub struct DeploymentBuilder {
name: String,
image: String,
replicas: i32,
container_ports: Vec<ContainerPort>,
env_vars: Vec<EnvVar>,
image_pull_policy: Option<String>,
}
impl DeploymentBuilder {
/// Create a new DeploymentBuilder with minimal required fields.
pub fn new(name: impl Into<String>, image: impl Into<String>) -> Self {
Self::with_options(name, image, None, None, None)
}
/// Create a new DeploymentBuilder with optional initial configuration.
///
/// Arguments:
/// - `name`: The deployment name
/// - `image`: The container image to use
/// - `ports`: Optional vector of initial application network ports
/// - `env_vars`: Optional vector of initial environment variable key-value pairs
/// - `replicas`: Optional number of replicas (defaults to 1)
pub fn with_options(
name: impl Into<String>,
image: impl Into<String>,
ports: Option<Vec<ApplicationNetworkPort>>,
env_vars: Option<Vec<(String, String)>>,
replicas: Option<i32>,
) -> Self {
let container_ports: Vec<ContainerPort> = ports
.unwrap_or_default()
.into_iter()
.map(|port| ContainerPort {
container_port: port.number as i32,
name: Some(port.name),
protocol: Some(port.protocol.to_string()),
..Default::default()
})
.collect();
let k8s_env_vars: Vec<EnvVar> = env_vars
.unwrap_or_default()
.into_iter()
.map(|(key, value)| EnvVar {
name: key,
value: Some(value),
..Default::default()
})
.collect();
Self {
name: name.into(),
image: image.into(),
replicas: replicas.unwrap_or(1),
container_ports,
env_vars: k8s_env_vars,
image_pull_policy: Some("IfNotPresent".to_string()),
}
}
pub fn replicas(mut self, replicas: i32) -> Self {
self.replicas = replicas;
self
}
pub fn with_container_port(
mut self,
number: i32,
name: impl Into<String>,
protocol: impl Into<String>,
) -> Self {
self.container_ports.push(ContainerPort {
container_port: number,
name: Some(name.into()),
protocol: Some(protocol.into()),
..Default::default()
});
self
}
pub fn with_env_var(mut self, name: impl Into<String>, value: impl Into<String>) -> Self {
self.env_vars.push(EnvVar {
name: name.into(),
value: Some(value.into()),
..Default::default()
});
self
}
pub fn image_pull_policy(mut self, policy: impl Into<String>) -> Self {
self.image_pull_policy = Some(policy.into());
self
}
pub fn build(self) -> Deployment {
let name = self.name.clone();
Deployment {
metadata: ObjectMeta {
name: Some(name.clone()),
labels: Some(
[
("app.kubernetes.io/name".to_string(), name.clone()),
(
"app.kubernetes.io/component".to_string(),
"deployment".to_string(),
),
(
"app.kubernetes.io/managed-by".to_string(),
"harmony".to_string(),
),
("app.kubernetes.io/version".to_string(), "1.0.0".to_string()),
]
.into(),
),
..Default::default()
},
spec: Some(DeploymentSpec {
replicas: Some(self.replicas),
selector: k8s_openapi::apimachinery::pkg::apis::meta::v1::LabelSelector {
match_labels: Some(
[("app.kubernetes.io/name".to_string(), name.clone())].into(),
),
..Default::default()
},
template: PodTemplateSpec {
metadata: Some(ObjectMeta {
labels: Some(
[
("app.kubernetes.io/name".to_string(), name.clone()),
("app.kubernetes.io/instance".to_string(), name.clone()),
]
.into(),
),
..Default::default()
}),
spec: Some(PodSpec {
containers: vec![Container {
name: name.clone(),
image: Some(self.image),
image_pull_policy: self.image_pull_policy,
ports: if self.container_ports.is_empty() {
None
} else {
Some(self.container_ports)
},
env: if self.env_vars.is_empty() {
None
} else {
Some(self.env_vars)
},
..Default::default()
}],
..Default::default()
}),
},
..Default::default()
}),
..Default::default()
}
}
}
/// Helper function to create a Service from network port configuration.
/// Returns `None` if no ports are provided.
pub fn create_service_from_ports(
name: String,
network_ports: &[ApplicationNetworkPort],
) -> Option<K8sService> {
if network_ports.is_empty() {
return None;
}
let ports: Vec<ServicePort> = network_ports
.into_iter()
.map(|port| ServicePort {
name: Some(port.name.clone()),
protocol: Some(port.protocol.to_string()),
port: port.number as i32,
target_port: Some(IntOrString::Int(port.number as i32)),
..Default::default()
})
.collect();
Some(K8sService {
metadata: ObjectMeta {
name: Some(name.clone()),
labels: Some(
[
("app.kubernetes.io/name".to_string(), name.clone()),
(
"app.kubernetes.io/component".to_string(),
"service".to_string(),
),
(
"app.kubernetes.io/managed-by".to_string(),
"harmony".to_string(),
),
]
.into(),
),
..Default::default()
},
spec: Some(ServiceSpec {
type_: Some("ClusterIP".to_string()),
selector: Some([("app.kubernetes.io/name".to_string(), name)].into()),
ports: Some(ports),
..Default::default()
}),
..Default::default()
})
}

15
harmony/src/modules/application/mod.rs
View File

@@ -1,5 +1,8 @@
pub mod backend_app;
pub mod config;
mod feature;
pub mod features;
pub mod helm;
pub mod oci;
mod rust;
mod webapp;
@@ -124,3 +127,15 @@ impl Serialize for dyn Application {
todo!()
}
}
/// Checks the output of a process command for success.
fn check_output(
output: &std::process::Output,
msg: &str,
) -> Result<(), Box<dyn std::error::Error>> {
if !output.status.success() {
let error_message = format!("{}: {}", msg, String::from_utf8_lossy(&output.stderr));
return Err(error_message.into());
}
Ok(())
}

81
harmony/src/modules/application/oci.rs
View File

@@ -1,5 +1,13 @@
use std::path::{Path, PathBuf};
use crate::{
config::{REGISTRY_PROJECT, REGISTRY_URL},
modules::application::check_output,
};
use super::Application;
use async_trait::async_trait;
use log::debug;
#[async_trait]
pub trait OCICompliant: Application {
@@ -17,9 +25,74 @@ pub trait HelmPackage: Application {
/// # Arguments
/// * `image_url` - The full URL of the OCI container image to be used in the Deployment.
/// * `domain` - The domain where the application is hosted.
async fn build_push_helm_package(
async fn build_push_helm_package(&self, image_url: &str) -> Result<String, String>;
fn project_root(&self) -> PathBuf;
fn chart_name(&self) -> String;
/// Packages a Helm chart directory into a .tgz file.
fn package_helm_chart(&self, chart_dir: &Path) -> Result<PathBuf, Box<dyn std::error::Error>> {
let chart_dirname = chart_dir.file_name().expect("Should find a chart dirname");
debug!(
"Launching `helm package {}` cli with CWD {}",
chart_dirname.to_string_lossy(),
&self
.project_root()
.join(".harmony_generated")
.join("helm")
.to_string_lossy()
);
let output = std::process::Command::new("helm")
.args(["package", chart_dirname.to_str().unwrap()])
.current_dir(self.project_root().join(".harmony_generated").join("helm")) // Run package from the parent dir
.output()?;
check_output(&output, "Failed to package Helm chart")?;
// Helm prints the path of the created chart to stdout.
let tgz_name = String::from_utf8(output.stdout)?
.split_whitespace()
.last()
.unwrap_or_default()
.to_string();
if tgz_name.is_empty() {
return Err("Could not determine packaged chart filename.".into());
}
// The output from helm is relative, so we join it with the execution directory.
Ok(self
.project_root()
.join(".harmony_generated")
.join("helm")
.join(tgz_name))
}
/// Pushes a packaged Helm chart to an OCI registry.
fn push_helm_chart(
&self,
image_url: &str,
domain: &str,
) -> Result<String, String>;
packaged_chart_path: &Path,
) -> Result<String, Box<dyn std::error::Error>> {
// The chart name is the file stem of the .tgz file
let chart_file_name = packaged_chart_path.file_stem().unwrap().to_str().unwrap();
let oci_push_url = format!("oci://{}/{}", *REGISTRY_URL, *REGISTRY_PROJECT);
let oci_pull_url = format!("{oci_push_url}/{}-chart", self.chart_name());
debug!(
"Pushing Helm chart {} to {}",
packaged_chart_path.to_string_lossy(),
oci_push_url
);
let output = std::process::Command::new("helm")
.args(["push", packaged_chart_path.to_str().unwrap(), &oci_push_url])
.output()?;
check_output(&output, "Pushing Helm chart failed")?;
// The final URL includes the version tag, which is part of the file name
let version = chart_file_name.rsplit_once('-').unwrap().1;
debug!("pull url {oci_pull_url}");
debug!("push url {oci_push_url}");
Ok(format!("{}:{}", oci_pull_url, version))
}
}

95
harmony/src/modules/application/rust.rs
View File

@@ -81,16 +81,21 @@ impl Webapp for RustWebapp {
#[async_trait]
impl HelmPackage for RustWebapp {
async fn build_push_helm_package(
&self,
image_url: &str,
domain: &str,
) -> Result<String, String> {
fn project_root(&self) -> PathBuf {
self.project_root.clone()
}
fn chart_name(&self) -> String {
self.name.clone()
}
async fn build_push_helm_package(&self, image_url: &str) -> Result<String, String> {
let domain = self.dns();
info!("Starting Helm chart build and push for '{}'", self.name);
// 1. Create the Helm chart files on disk.
let chart_dir = self
.create_helm_chart_files(image_url, domain)
.create_helm_chart_files(image_url, &domain)
.await
.map_err(|e| format!("Failed to create Helm chart files: {}", e))?;
info!("Successfully created Helm chart files in {:?}", chart_dir);
@@ -327,19 +332,6 @@ impl RustWebapp {
Ok(image_tag.to_string())
}
/// Checks the output of a process command for success.
fn check_output(
&self,
output: &process::Output,
msg: &str,
) -> Result<(), Box<dyn std::error::Error>> {
if !output.status.success() {
let error_message = format!("{}: {}", msg, String::from_utf8_lossy(&output.stderr));
return Err(error_message.into());
}
Ok(())
}
fn build_builder_image(&self, dockerfile: &mut Dockerfile) {
match self.framework {
Some(RustWebFramework::Leptos) => {
@@ -640,71 +632,6 @@ spec:
Ok(chart_dir)
}
/// Packages a Helm chart directory into a .tgz file.
fn package_helm_chart(&self, chart_dir: &Path) -> Result<PathBuf, Box<dyn std::error::Error>> {
let chart_dirname = chart_dir.file_name().expect("Should find a chart dirname");
debug!(
"Launching `helm package {}` cli with CWD {}",
chart_dirname.to_string_lossy(),
&self
.project_root
.join(".harmony_generated")
.join("helm")
.to_string_lossy()
);
let output = process::Command::new("helm")
.args(["package", chart_dirname.to_str().unwrap()])
.current_dir(self.project_root.join(".harmony_generated").join("helm")) // Run package from the parent dir
.output()?;
self.check_output(&output, "Failed to package Helm chart")?;
// Helm prints the path of the created chart to stdout.
let tgz_name = String::from_utf8(output.stdout)?
.split_whitespace()
.last()
.unwrap_or_default()
.to_string();
if tgz_name.is_empty() {
return Err("Could not determine packaged chart filename.".into());
}
// The output from helm is relative, so we join it with the execution directory.
Ok(self
.project_root
.join(".harmony_generated")
.join("helm")
.join(tgz_name))
}
/// Pushes a packaged Helm chart to an OCI registry.
fn push_helm_chart(
&self,
packaged_chart_path: &Path,
) -> Result<String, Box<dyn std::error::Error>> {
// The chart name is the file stem of the .tgz file
let chart_file_name = packaged_chart_path.file_stem().unwrap().to_str().unwrap();
let oci_push_url = format!("oci://{}/{}", *REGISTRY_URL, *REGISTRY_PROJECT);
let oci_pull_url = format!("{oci_push_url}/{}-chart", self.name);
debug!(
"Pushing Helm chart {} to {}",
packaged_chart_path.to_string_lossy(),
oci_push_url
);
let output = process::Command::new("helm")
.args(["push", packaged_chart_path.to_str().unwrap(), &oci_push_url])
.output()?;
self.check_output(&output, "Pushing Helm chart failed")?;
// The final URL includes the version tag, which is part of the file name
let version = chart_file_name.rsplit_once('-').unwrap().1;
debug!("pull url {oci_pull_url}");
debug!("push url {oci_push_url}");
Ok(format!("{}:{}", oci_pull_url, version))
}
fn get_or_build_dockerfile(&self) -> Result<PathBuf, Box<dyn std::error::Error>> {
let existing_dockerfile = self.project_root.join("Dockerfile");

138
harmony/src/modules/brocade/brocade.rs Normal file
View File

@@ -0,0 +1,138 @@
use async_trait::async_trait;
use brocade::{BrocadeOptions, PortOperatingMode};
use crate::{
data::Version,
infra::brocade::{BrocadeSwitchClient, BrocadeSwitchConfig},
interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
inventory::Inventory,
score::Score,
topology::{
HostNetworkConfig, PortConfig, PreparationError, PreparationOutcome, Switch, SwitchClient,
SwitchError, Topology,
},
};
use harmony_macros::ip;
use harmony_types::{id::Id, net::MacAddress, switch::PortLocation};
use log::{debug, info};
use serde::Serialize;
#[derive(Clone, Debug, Serialize)]
pub struct BrocadeSwitchScore {
pub port_channels_to_clear: Vec<Id>,
pub ports_to_configure: Vec<PortConfig>,
}
impl<T: Topology + Switch> Score<T> for BrocadeSwitchScore {
fn name(&self) -> String {
"BrocadeSwitchScore".to_string()
}
#[doc(hidden)]
fn create_interpret(&self) -> Box<dyn Interpret<T>> {
Box::new(BrocadeSwitchInterpret {
score: self.clone(),
})
}
}
#[derive(Debug)]
pub struct BrocadeSwitchInterpret {
score: BrocadeSwitchScore,
}
#[async_trait]
impl<T: Topology + Switch> Interpret<T> for BrocadeSwitchInterpret {
async fn execute(
&self,
_inventory: &Inventory,
topology: &T,
) -> Result<Outcome, InterpretError> {
info!("Applying switch configuration {:?}", self.score);
debug!(
"Clearing port channel {:?}",
self.score.port_channels_to_clear
);
topology
.clear_port_channel(&self.score.port_channels_to_clear)
.await
.map_err(|e| InterpretError::new(e.to_string()))?;
debug!("Configuring interfaces {:?}", self.score.ports_to_configure);
topology
.configure_interface(&self.score.ports_to_configure)
.await
.map_err(|e| InterpretError::new(e.to_string()))?;
Ok(Outcome::success("switch configured".to_string()))
}
fn get_name(&self) -> InterpretName {
InterpretName::Custom("BrocadeSwitchInterpret")
}
fn get_version(&self) -> Version {
todo!()
}
fn get_status(&self) -> InterpretStatus {
todo!()
}
fn get_children(&self) -> Vec<Id> {
todo!()
}
}
/*
pub struct BrocadeSwitchConfig {
pub ips: Vec<harmony_types::net::IpAddress>,
pub username: String,
pub password: String,
pub options: BrocadeOptions,
}
*/
pub struct SwitchTopology {
client: Box<dyn SwitchClient>,
}
#[async_trait]
impl Topology for SwitchTopology {
fn name(&self) -> &str {
"SwitchTopology"
}
async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
Ok(PreparationOutcome::Noop)
}
}
impl SwitchTopology {
pub async fn new(config: BrocadeSwitchConfig) -> Self {
let client = BrocadeSwitchClient::init(config)
.await
.expect("Failed to connect to switch");
let client = Box::new(client);
Self { client }
}
}
#[async_trait]
impl Switch for SwitchTopology {
async fn setup_switch(&self) -> Result<(), SwitchError> {
todo!()
}
async fn get_port_for_mac_address(
&self,
_mac_address: &MacAddress,
) -> Result<Option<PortLocation>, SwitchError> {
todo!()
}
async fn configure_port_channel(&self, _config: &HostNetworkConfig) -> Result<(), SwitchError> {
todo!()
}
async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {
self.client.clear_port_channel(ids).await
}
async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError> {
self.client.configure_interface(ports).await
}
}

21
harmony/src/modules/brocade.rs → harmony/src/modules/brocade/brocade_snmp.rs
View File

@@ -4,6 +4,7 @@ use async_trait::async_trait;
use brocade::BrocadeOptions;
use harmony_secret::{Secret, SecretManager};
use harmony_types::id::Id;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use crate::{
@@ -37,17 +38,17 @@ pub struct BrocadeEnableSnmpInterpret {
score: BrocadeEnableSnmpScore,
}
#[derive(Secret, Clone, Debug, Serialize, Deserialize)]
struct BrocadeSwitchAuth {
username: String,
password: String,
#[derive(Secret, Clone, Debug, JsonSchema, Serialize, Deserialize)]
pub struct BrocadeSwitchAuth {
pub username: String,
pub password: String,
}
#[derive(Secret, Clone, Debug, Serialize, Deserialize)]
struct BrocadeSnmpAuth {
username: String,
auth_password: String,
des_password: String,
#[derive(Secret, Clone, Debug, JsonSchema, Serialize, Deserialize)]
pub struct BrocadeSnmpAuth {
pub username: String,
pub auth_password: String,
pub des_password: String,
}
#[async_trait]
@@ -71,7 +72,7 @@ impl<T: Topology> Interpret<T> for BrocadeEnableSnmpInterpret {
&switch_addresses,
&config.username,
&config.password,
BrocadeOptions {
&BrocadeOptions {
dry_run: self.score.dry_run,
..Default::default()
},

5
harmony/src/modules/brocade/mod.rs Normal file
View File

@@ -0,0 +1,5 @@
pub mod brocade;
pub use brocade::*;
pub mod brocade_snmp;
pub use brocade_snmp::*;

36
harmony/src/modules/cert_manager/capability.rs
View File

@@ -2,17 +2,45 @@ use async_trait::async_trait;
use serde::Serialize;
use crate::{
executors::ExecutorError,
interpret::Outcome,
topology::{PreparationError, PreparationOutcome},
modules::cert_manager::crd::{AcmeIssuer, CaIssuer},
};
///TODO rust doc explaining issuer, certificate etc
#[async_trait]
pub trait CertificateManagement: Send + Sync {
async fn install(
async fn install(&self) -> Result<Outcome, ExecutorError>;
async fn ensure_certificate_management_ready(&self) -> Result<Outcome, ExecutorError>;
async fn create_issuer(
&self,
issuer_name: String,
config: &CertificateManagementConfig,
) -> Result<PreparationOutcome, PreparationError>;
) -> Result<Outcome, ExecutorError>;
async fn create_certificate(
&self,
cert_name: String,
issuer_name: String,
common_name: Option<String>,
dns_names: Option<Vec<String>>,
is_ca: Option<bool>,
config: &CertificateManagementConfig,
) -> Result<Outcome, ExecutorError>;
async fn get_ca_certificate(
&self,
cert_name: String,
config: &CertificateManagementConfig,
) -> Result<String, ExecutorError>;
}
#[derive(Debug, Clone, Serialize)]
pub struct CertificateManagementConfig {}
pub struct CertificateManagementConfig {
pub namespace: Option<String>,
pub acme_issuer: Option<AcmeIssuer>,
pub ca_issuer: Option<CaIssuer>,
pub self_signed: bool,
}

113
harmony/src/modules/cert_manager/crd/certificate.rs Normal file
View File

@@ -0,0 +1,113 @@
use kube::{CustomResource, api::ObjectMeta};
use serde::{Deserialize, Serialize};
#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
#[kube(
group = "cert-manager.io",
version = "v1",
kind = "Certificate",
plural = "certificates",
namespaced = true,
schema = "disabled"
)]
#[serde(rename_all = "camelCase")]
pub struct CertificateSpec {
/// Name of the Secret where the certificate will be stored
pub secret_name: String,
/// Common Name (optional but often discouraged in favor of SANs)
#[serde(skip_serializing_if = "Option::is_none")]
pub common_name: Option<String>,
/// DNS Subject Alternative Names
#[serde(skip_serializing_if = "Option::is_none")]
pub dns_names: Option<Vec<String>>,
/// IP Subject Alternative Names
#[serde(skip_serializing_if = "Option::is_none")]
pub ip_addresses: Option<Vec<String>>,
/// Certificate duration (e.g. "2160h")
#[serde(skip_serializing_if = "Option::is_none")]
pub duration: Option<String>,
/// How long before expiry cert-manager should renew
#[serde(skip_serializing_if = "Option::is_none")]
pub renew_before: Option<String>,
/// Reference to the Issuer or ClusterIssuer
pub issuer_ref: IssuerRef,
/// Is this a CA certificate
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(rename = "isCA")]
pub is_ca: Option<bool>,
/// Private key configuration
#[serde(skip_serializing_if = "Option::is_none")]
pub private_key: Option<PrivateKey>,
}
impl Default for Certificate {
fn default() -> Self {
Certificate {
metadata: ObjectMeta::default(),
spec: CertificateSpec::default(),
}
}
}
impl Default for CertificateSpec {
fn default() -> Self {
Self {
secret_name: String::new(),
common_name: None,
dns_names: None,
ip_addresses: None,
duration: None,
renew_before: None,
issuer_ref: IssuerRef::default(),
is_ca: None,
private_key: None,
}
}
}
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct IssuerRef {
pub name: String,
/// Either "Issuer" or "ClusterIssuer"
#[serde(skip_serializing_if = "Option::is_none")]
pub kind: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub group: Option<String>,
}
impl Default for IssuerRef {
fn default() -> Self {
Self {
name: String::new(),
kind: None,
group: None,
}
}
}
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct PrivateKey {
/// RSA or ECDSA
#[serde(skip_serializing_if = "Option::is_none")]
pub algorithm: Option<String>,
/// Key size (e.g. 2048, 4096)
#[serde(skip_serializing_if = "Option::is_none")]
pub size: Option<u32>,
/// Rotation policy: "Never" or "Always"
#[serde(skip_serializing_if = "Option::is_none")]
pub rotation_policy: Option<String>,
}

44
harmony/src/modules/cert_manager/crd/cluster_issuer.rs Normal file
View File

@@ -0,0 +1,44 @@
use kube::{CustomResource, api::ObjectMeta};
use serde::{Deserialize, Serialize};
use crate::modules::cert_manager::crd::{AcmeIssuer, CaIssuer, SelfSignedIssuer};
#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
#[kube(
group = "cert-manager.io",
version = "v1",
kind = "ClusterIssuer",
plural = "clusterissuers",
namespaced = false,
schema = "disabled"
)]
#[serde(rename_all = "camelCase")]
pub struct ClusterIssuerSpec {
#[serde(skip_serializing_if = "Option::is_none")]
pub self_signed: Option<SelfSignedIssuer>,
#[serde(skip_serializing_if = "Option::is_none")]
pub ca: Option<CaIssuer>,
#[serde(skip_serializing_if = "Option::is_none")]
pub acme: Option<AcmeIssuer>,
}
impl Default for ClusterIssuer {
fn default() -> Self {
ClusterIssuer {
metadata: ObjectMeta::default(),
spec: ClusterIssuerSpec::default(),
}
}
}
impl Default for ClusterIssuerSpec {
fn default() -> Self {
Self {
self_signed: None,
ca: None,
acme: None,
}
}
}

44
harmony/src/modules/cert_manager/crd/issuer.rs Normal file
View File

@@ -0,0 +1,44 @@
use kube::{CustomResource, api::ObjectMeta};
use serde::{Deserialize, Serialize};
use crate::modules::cert_manager::crd::{AcmeIssuer, CaIssuer, SelfSignedIssuer};
#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
#[kube(
group = "cert-manager.io",
version = "v1",
kind = "Issuer",
plural = "issuers",
namespaced = true,
schema = "disabled"
)]
#[serde(rename_all = "camelCase")]
pub struct IssuerSpec {
#[serde(skip_serializing_if = "Option::is_none")]
pub self_signed: Option<SelfSignedIssuer>,
#[serde(skip_serializing_if = "Option::is_none")]
pub ca: Option<CaIssuer>,
#[serde(skip_serializing_if = "Option::is_none")]
pub acme: Option<AcmeIssuer>,
}
impl Default for Issuer {
fn default() -> Self {
Issuer {
metadata: ObjectMeta::default(),
spec: IssuerSpec::default(),
}
}
}
impl Default for IssuerSpec {
fn default() -> Self {
Self {
self_signed: None,
ca: None,
acme: None,
}
}
}

65
harmony/src/modules/cert_manager/crd/mod.rs Normal file
View File

@@ -0,0 +1,65 @@
use serde::{Deserialize, Serialize};
pub mod certificate;
pub mod cluster_issuer;
pub mod issuer;
//pub mod score_cluster_issuer;
pub mod score_k8s_certificate;
pub mod score_k8s_issuer;
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct CaIssuer {
/// Secret containing `tls.crt` and `tls.key`
pub secret_name: String,
}
#[derive(Deserialize, Serialize, Clone, Debug, Default)]
#[serde(rename_all = "camelCase")]
pub struct SelfSignedIssuer {}
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct AcmeIssuer {
pub server: String,
pub email: String,
/// Secret used to store the ACME account private key
pub private_key_secret_ref: SecretKeySelector,
pub solvers: Vec<AcmeSolver>,
}
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct SecretKeySelector {
pub name: String,
pub key: String,
}
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct AcmeSolver {
#[serde(skip_serializing_if = "Option::is_none")]
pub http01: Option<Http01Solver>,
#[serde(skip_serializing_if = "Option::is_none")]
pub dns01: Option<Dns01Solver>,
}
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct Dns01Solver {}
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct Http01Solver {
pub ingress: IngressSolver,
}
#[derive(Deserialize, Serialize, Clone, Debug)]
#[serde(rename_all = "camelCase")]
pub struct IngressSolver {
#[serde(skip_serializing_if = "Option::is_none")]
pub class: Option<String>,
}

54
harmony/src/modules/cert_manager/crd/score_k8s_certificate.rs Normal file
View File

@@ -0,0 +1,54 @@
use kube::api::ObjectMeta;
use serde::Serialize;
use crate::{
interpret::Interpret,
modules::{
cert_manager::{
capability::CertificateManagementConfig,
crd::certificate::{Certificate, CertificateSpec, IssuerRef},
},
k8s::resource::K8sResourceScore,
},
score::Score,
topology::{K8sclient, Topology},
};
#[derive(Debug, Clone, Serialize)]
pub struct K8sCertManagerCertificateScore {
pub cert_name: String,
pub issuer_name: String,
pub common_name: Option<String>,
pub dns_names: Option<Vec<String>>,
pub is_ca: Option<bool>,
pub config: CertificateManagementConfig,
}
impl<T: Topology + K8sclient> Score<T> for K8sCertManagerCertificateScore {
fn name(&self) -> String {
"CertificateScore".to_string()
}
fn create_interpret(&self) -> Box<dyn Interpret<T>> {
let cert = Certificate {
metadata: ObjectMeta {
name: Some(self.cert_name.clone()),
namespace: self.config.namespace.clone(),
..Default::default()
},
spec: CertificateSpec {
secret_name: format!("{}-tls", self.cert_name.clone()),
issuer_ref: IssuerRef {
name: self.issuer_name.clone(),
kind: Some("Issuer".into()),
group: Some("cert-manager.io".into()),
},
common_name: self.common_name.clone(),
is_ca: self.is_ca.clone(),
dns_names: self.dns_names.clone(),
..Default::default()
},
};
K8sResourceScore::single(cert, self.config.namespace.clone()).create_interpret()
}
}

51
harmony/src/modules/cert_manager/crd/score_k8s_cluster_issuer.rs Normal file
View File

@@ -0,0 +1,51 @@
use kube::api::ObjectMeta;
use serde::Serialize;
use crate::{
interpret::Interpret,
modules::{
cert_manager::crd::{
AcmeIssuer, CaIssuer, SelfSignedIssuer,
cluster_issuer::{ClusterIssuer, ClusterIssuerSpec},
},
k8s::resource::K8sResourceScore,
},
score::Score,
topology::{K8sclient, Topology},
};
#[derive(Debug, Clone, Serialize)]
pub struct ClusterIssuerScore {
name: String,
acme_issuer: Option<AcmeIssuer>,
ca_issuer: Option<CaIssuer>,
self_signed: bool,
}
impl<T: Topology + K8sclient> Score<T> for ClusterIssuerScore {
fn name(&self) -> String {
"ClusterIssuerScore".to_string()
}
fn create_interpret(&self) -> Box<dyn Interpret<T>> {
let metadata = ObjectMeta {
name: Some(self.name.clone()),
namespace: None,
..ObjectMeta::default()
};
let spec = ClusterIssuerSpec {
acme: self.acme_issuer.clone(),
ca: self.ca_issuer.clone(),
self_signed: if self.self_signed {
Some(SelfSignedIssuer::default())
} else {
None
},
};
let cluster_issuer = ClusterIssuer { metadata, spec };
K8sResourceScore::single(cluster_issuer, None).create_interpret()
}
}

52
harmony/src/modules/cert_manager/crd/score_k8s_issuer.rs Normal file
View File

@@ -0,0 +1,52 @@
use kube::api::ObjectMeta;
use serde::Serialize;
use crate::{
interpret::Interpret,
modules::{
cert_manager::{
capability::CertificateManagementConfig,
crd::{
SelfSignedIssuer,
issuer::{Issuer, IssuerSpec},
},
},
k8s::resource::K8sResourceScore,
},
score::Score,
topology::{K8sclient, Topology},
};
#[derive(Debug, Clone, Serialize)]
pub struct K8sCertManagerIssuerScore {
pub issuer_name: String,
pub config: CertificateManagementConfig,
}
impl<T: Topology + K8sclient> Score<T> for K8sCertManagerIssuerScore {
fn name(&self) -> String {
"IssuerScore".to_string()
}
fn create_interpret(&self) -> Box<dyn Interpret<T>> {
let metadata = ObjectMeta {
name: Some(self.issuer_name.clone()),
namespace: self.config.namespace.clone(),
..ObjectMeta::default()
};
let spec = IssuerSpec {
acme: self.config.acme_issuer.clone(),
ca: self.config.ca_issuer.clone(),
self_signed: if self.config.self_signed {
Some(SelfSignedIssuer::default())
} else {
None
},
};
let issuer = Issuer { metadata, spec };
K8sResourceScore::single(issuer, self.config.namespace.clone()).create_interpret()
}
}

Some files were not shown because too many files have changed in this diff Show More